SpamChoke Antispam
Software

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john [at] company [dot] com)

W32/Kaxela.A Worm
Information about the W32/Kaxela.A Worm:

W32/Kaxela.A is a worm. The worm will infect Windows systems.

Upon execution, the worm copies itself as (Random Name).exe and (Random Name).dll in the Windows System folder.

It also copies itself as auto.exe to all local and removable drives.

It creates autorun.inf in the local and removable drives so that it executes whenever the drive is accessed.

It modifies the registry at the following locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\"ReportBootOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\[RANDOM CHARACTERS]

The worm deletes the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc

Then the worm downloads a configuration file from:

http://dd.9cdn.com/e//update.txt

The above file contains the following information:

A URL for the Internet Explorer home page to be modified to
A URL that allows the worm to update itself
A URL that allows the worm to download a potentially malicious file on to the compromised computer

The worm also contacts the following URLs:

http://alexa.verynx.cn//alexa.txt
http://211.100.21.4/info[Blocked]
http://211.100.21.4/info[Blocked]

This worm first appeared on September 21, 2007.

Technorati Tags: Computer