Aliases: TrojanDropper.Win32.Kifer
Variants: W32.Kifer.B

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 10 Feb 2004
Damage: Low

Characteristics: The trojan horse W32.Kifer infects all versions of Windows. It drops BAT.Snoital@mm and attempts to delete antivirus software from a targeted computer. It also spreads through MAPI-enabled email clients like Microsoft Outlook, and IRC. The email characteristics include Subject: Symantec Security Alert and Attachment: Symantec_W32_Cure.bat. Its damage level is low.

More details about W32.Kifer

Once the W32.Kifer virus is executed, it deletes certain files related to security found in C:\Program Files. It also creates a batch file in different locations. The filenames of the batch files vary and have different characters (e.g. porn.bat, 5111.bat, masbl.bat, etc.). It also creates script files that include kazzad.vbs, nwboy.vbs, szlhm.vbs, etc. Then, it sends an email that includes: “Subject: Symantec Security Alert”, “Body: Symantec has revently discovered a cure for the very destructive worm W32/Mydoom@MM. This worm installs a backdoor on the system allowing attackers to gain remote access to the system.This trojan horse adds certain values to the registry keys. Lastly, it modifies the mIRC script file, script.ini, and the pirch98 file, events.ini.

The W32.Kifer program downloads and executes adware and other malware in the victim computer without getting the user’s consent. It could possibly display advertisements on the desktop. The Trojan may use a filename that is very close to that of a valid Windows process to trick the user that it is a legal file. The Trojan may pretend to be a legal svchost.exe file to run itself every time the Windows operating system starts. The svchost.exe is the generic process file for Win32 services. It is an important component of the Windows operating system. It manages services running from Microsoft DLLs.