F-Secure
Tools
Trojan-Dropper:W97M/Kukudro.A
Summary
A trojan that contains one or more malicious programs, which it will secretly install and execute.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Kukudro is an macro trojan-dropper embedded in a Microsoft Word document.
This malware was first spammed to various e-mails addresses, as zip archive file named my_Notebook.doc. Once a user opens the document, it drops and runs a binary executable. Later distributions runs may use varying names for the infected document.
The trojan-dropper is written in Visual Basic for Applications (VBA).
Execution
When the infected Word document is opened, the macro code inside of it will be executed. It will decode a binary file from its code and drop it as 666inse_1.exe to the root of the C: drive. Then the macro will execute the dropped 666inse_1.exe file and end.
The binary executable is a trojan-downloader called Small.DCU.
Note
In Office 2003 or later, the macro will only execute if macros have been enabled from Word's security settings.
Otherwise, the trojan uses a vulnerability in MS Word 97, 2000 and XP; in this case, the macro will be able to execute even though macros are supposed to be disabled. More information on this vulnerability is available at: http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx.
This malware was first spammed to various e-mails addresses, as zip archive file named my_Notebook.doc. Once a user opens the document, it drops and runs a binary executable. Later distributions runs may use varying names for the infected document.
The trojan-dropper is written in Visual Basic for Applications (VBA).
Execution
When the infected Word document is opened, the macro code inside of it will be executed. It will decode a binary file from its code and drop it as 666inse_1.exe to the root of the C: drive. Then the macro will execute the dropped 666inse_1.exe file and end.
The binary executable is a trojan-downloader called Small.DCU.
Note
In Office 2003 or later, the macro will only execute if macros have been enabled from Word's security settings.
Otherwise, the trojan uses a vulnerability in MS Word 97, 2000 and XP; in this case, the macro will be able to execute even though macros are supposed to be disabled. More information on this vulnerability is available at: http://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx.