Classification

Category :

Malware

Type :

-

Aliases :

KilOnce, Worm.Win32.Kilonce, Killonce, W32.HLLW.Kilonce

Summary

KilOnce is a network worm that resembles Nimda email and network worm a lot. But Kilonce doesn't spread in emails as Nimda does. The worm got media's attention in the end of November 2002 in China. But by the time of this description creation F-Secure Viruslab did not get a single sample of this worm from the field.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

It should be noted, that the worm has lots of bugs and this limits its ability to infect computers and activate its payload.

When the worm's file is run, it first tries to create an EML file in a temporary folder where it stores its mime-encoded file as Explorer.exe together with the IFrame exploit that makes it possible to activate the worm's attachment automatically on some systems. But the creation of the worm's EML file does not happen due to a bug.

Then the worm checks the name of the file it was started from. If it was not started from KILLONCE.EXE file, the worm creates a file with this name, copies its contents there and starts the file.

If the worm's file is started with -U command line option, it removes its startup keys from the Registry and exits. However, the worm has bugs that might prevent it from doing the above procedure.

If the worm's file is started with -D command line option, it creates a RICHED20.DLL file in current folder and copies its contents there.

The worm installs itself to system by copying its file to Windows folder and to Recycled folder as KILLONCE.EXE and adding its startup string to the Run key in the Registry:

 [HKLM\Microsoft\Windows\CurrentVersion\Run]
"KillOnce" = "%windir%\KILLONCE.EXE"
 

The %windir% represents Windows directory. The worm also modifies the default EXE files startup key so that its copy will be run before any executable file:

 [HKCR\exefile\shell\open\command]
@ = "%windir%\KILLONCE.EXE "%1" %"
 

The worm also edits a text file startup key, so its copy will be always run from Recycled folder when a user opens a text file:

 [HKCR\txtfile\shell\open\command]
@ = "%recycledir%\KILLONCE.EXE %windir%\NotePad.exe %1"
 

The worm constantly scans personal folders of a user for *.DOC files but does not do any action if it finds those except increasing its internal counter.

The worm constantly tries to spread to a network. It enumerates all shared resources and if it can find \Windows\RunDll32.exe file there, it renames it as \Windows\Run32.Exe and copies itself instead of remote RunDll32.exe file. As the RunDll32.exe file is used at least once per Windows sesion, the worm will infect a remote computer.

The worm scans remote drives for files with certain extensions. When it finds HTM files, the worm copies itself as SHDOCVW.DLL into the same folder. When it finds DOC files, the worm copies itself as RICHED20.DLL into the same folder. When it finds EML files that are not created by the worm, it deletes them. The worm creates EML and NWS files of its own with its mime-encoded attachment and Iframe exploit. Also the worm renames REGEDIT.EXE to REGEDIT.SYS and then copies itself a REGEDIT.EXE to remote computer.

The worm adds Guest account to Administrator's group, so any user logged as Guest will have admin rights. The worm also shares hard drives from C: to K: to a network.

The worm kills processes that have 'AV' and 'KV' strings in their names, it also kills processes with 'LOAD.EXE' name. The worm also tries to delete files that correspond to killed proccesses.

The worm does not allow to run REGEDIT.EXE and MSCONFIG.EXE files, it shows a messagebox if a user tries to run these files.

The worm has a dangerous payload. If a month is December and the date is 13, the worm writes the special command to AUTOEXEC.BAT that will delete all files on C: drive after system restart.