W32/Krisworm-A is a worm which spreads by targeting computers with weak administrator and user passwords.
The worm installs several files in the fonts subfolder of the Windows fonts folder adds the registry entry:
= <Windows fonts>\fonts\sys.exe
The malicious files installed by the worm are:
man.bat (detected by Sophos Anti-Virus as Troj/Noshare-N)
The worm also installs the following files which are not malicious :
a.q - a list of words
bd.exe - a utility used for hiding windows
dex.exe - a networking utility used for running processes on other computers
fhgh.cca - a text file containing a counter
kern.exe - a utility that list running processes
Sys.exe - a copy of the mIRC chat client.
x.xx - a text file containing a list of IP ranges
W32/Krisworm-A attempts to copy itself to the admin$ share on remote computers and execute the copy. The worm acts as a backdoor and IRC proxy server, allowing a remote attacker to control the infected computer.
Cameras that make great holiday gifts
Let them start the new year with a step up in photo and video quality from a phone.