KilOnce is a network worm that resembles Nimda e-mail and network
worm a lot. But Kilonce doesn't spread in e-mails as Nimda does.
The worm got media's attention in the end of November 2002 in
China. But by the time of this description creation F-Secure
Viruslab did not get a single sample of this worm from the field.
It should be noted, that the worm has lots of bugs and this
limits its ability to infect computers and activate its payload.
When the worm's file is run, it first tries to create an EML file
in a temporary folder where it stores its mime-encoded file as
Explorer.exe together with the IFrame exploit that makes it
possible to activate the worm's attachment automatically on some
systems. But the creation of the worm's EML file does not happen
due to a bug.
Then the worm checks the name of the file it was started from. If
it was not started from KILLONCE.EXE file, the worm creates a
file with this name, copies its contents there and starts the
file.
If the worm's file is started with -U command line option, it
removes its startup keys from the Registry and exits. However,
the worm has bugs that might prevent it from doing the above
procedure.
If the worm's file is started with -D command line option, it
creates a RICHED20.DLL file in current folder and copies its
contents there.
The worm installs itself to system by copying its file to Windows
folder and to Recycled folder as KILLONCE.EXE and adding its
startup string to the Run key in the Registry:
The %windir% represents Windows directory. The worm also modifies
the default EXE files startup key so that its copy will be run
before any executable file:
The worm constantly scans personal folders of a user for *.DOC
files but does not do any action if it finds those except
increasing its internal counter.
The worm constantly tries to spread to a network. It enumerates
all shared resources and if it can find \Windows\RunDll32.exe
file there, it renames it as \Windows\Run32.Exe and copies itself
instead of remote RunDll32.exe file. As the RunDll32.exe file is
used at least once per Windows sesion, the worm will infect a
remote computer.
The worm scans remote drives for files with certain extensions.
When it finds HTM files, the worm copies itself as SHDOCVW.DLL
into the same folder. When it finds DOC files, the worm copies
itself as RICHED20.DLL into the same folder. When it finds EML
files that are not created by the worm, it deletes them. The worm
creates EML and NWS files of its own with its mime-encoded
attachment and Iframe exploit. Also the worm renames REGEDIT.EXE
to REGEDIT.SYS and then copies itself a REGEDIT.EXE to remote
computer.
The worm adds Guest account to Administrator's group, so any user
logged as Guest will have admin rights. The worm also shares hard
drives from C: to K: to a network.
The worm kills processes that have 'AV' and 'KV' strings in their
names, it also kills processes with 'LOAD.EXE' name. The worm
also tries to delete files that correspond to killed proccesses.
The worm does not allow to run REGEDIT.EXE and MSCONFIG.EXE
files, it shows a messagebox if a user tries to run these files.
The worm has a dangerous payload. If a month is December and the
date is 13, the worm writes the special command to AUTOEXEC.BAT
that will delete all files on C: drive after system restart.
[Analysis: Alexey Podrezov; F-Secure Corp.; November 27th, 2002]
