W32/Kilonce-A

Please read the instructions for removing worms.

W32/Kilonce-A is a worm which spreads via open local area network shares.

The worm copies itself to the Windows folder as KILLONCE.EXE and creates the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KillOnce =
"C:\\KILLONCE.EXE"

so that it is run on system restart.

W32/Kilonce-A also changes certain values in the registry so that the following entries are created:

HKLM\Software\CLASSES\txtfile\shell\open\command =
"C:\\NOTEPAD.EXE %1"

and

HKLM\Software\CLASSES\exefile\shell\open\command =
"C:\\KILLONCE.EXE "%1" %*"

The latter entry ensures that the worm is run before every EXE file. The worm attempts to open full access shares on drives C: to K:. It then finds open shares on remote computers on the network by enumerating network resources. Once appropriate shares are found W32/Kilonce-A copies itself to the remote computers' Windows folder as REGEDIT.EXE (the original is saved as REGEDIT.EXE.SYS) and RUNDLL32.EXE (the original is saved as RUN32.EXE). The worm also copies itself as RICHED20.DLL to any folder containing a file with extension HTM and as SHDOCVW.DLL to any folder containing a file with extension DOC.

W32/Kilonce-A may also overwrite files with have the extension EML with a base64 encoded copy of itself.

When the worm is running in the background all programs with the letters 'AV' or 'KV' within the filename or with filename LOAD.EXE are suppressed on execution and then deleted.

W32/Kilonce-A also has a destructive payload. On the 13th of December the worm appends a line to AUTOEXEC.BAT so that all files and folders on drive C: are deleted on the next restart. Finally the worm may attempt to give guests administrator access on Windows NT based platforms.