Threat Description

Trojan-Dropper:​W97M/Kukudro.A

Details

Aliases: W97M/Kukudro, W97M.Kukudro, Trojan-Dropper:​W97M/Kukudro.A
Category: Malware
Type: Trojan-Dropper
Platform: W97M

Summary


Trojan-Dropper:​W97M/Kukudro is a trojan-dropper embedded in the macro code of a Microsoft Word document.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


This malware was first spammed to various e-mails addresses, as zip archive file named my_Notebook.doc. Once a user opens the document, it drops and runs a binary executable. Later distributions runs may use varying names for the infected document.

The trojan-dropper is written in Visual Basic for Applications (VBA).

Execution

When the infected Word document is opened, the macro code inside of it will be executed. It will decode a binary file from its code and drop it as 666inse_1.exe to the root of the C: drive. The macro will then execute the dropped 666inse_1.exe file and end.

The binary executable is a trojan-downloader called Small.DCU.

Note

In Office 2003 or later, the macro will only execute if macros have been enabled from Word's security settings.Otherwise, the trojan uses a vulnerability in MS Word 97, 2000 and XP; in this case, the macro will be able to execute even though macros are supposed to be disabled.

More information on this vulnerability is available at: https://www.microsoft.com/technet/security/Bulletin/MS01-034.mspx.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More