Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:24/01/2005
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:16.000 Bytes
MD5 checksum:095aac37b121cd3e36a2bba0ea8a26a7
VDF version:

 General Methods of propagation:
   • Email
   • Peer to Peer

   •  Symantec: W32.Kipis.A@mm
   •  Mcafee: W32/Kipis.d@MM
   •  Kaspersky: Email-Worm.Win32.Kipis.g
   •  TrendMicro: WORM_KIPIS.C
   •  Sophos: W32/Kipis-G
   •  Grisoft: I-Worm/Kipis.F
   •  VirusBuster: I-Worm.Kipis.C
   •  Eset: Win32/Kipis.G
   •  Bitdefender: Win32.Kipis.G@mm

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Uses its own Email engine
   • Registry modification
   • Third party control

 Files It copies itself to the following locations:
   • %WINDIR%\
   • %SYSDIR%\
   • %SYSDIR%\Microsoft\svchost.exe

 Registry The following registry key is changed:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe %SYSDIR%\Microsoft\svchost.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)

One of the following:
   • Hello
   • Hi
   • Letter
   • Love
   • message
   • Re: Hello
   • Re: Hi
   • Re: Letter
   • Re: Love
   • Re: message

The body of the email is one of the following:

   • With the coming Valentine's day. :)

   • What for you have send me this letter?
     I have read, i precisely do not know you.

   • What for you have send me this letter?

   • Greetings, you do not know me,
     me asked to send you this love letter.

   • Please look my Love letter..

The filename of the attachment is one of the following:
   • letter.pif
   • message.pif
   • Love.pif
   • you.php679807.pif
   • I-LOVE-YOU.pif

The attachment is a copy of the malware itself.

The email looks like the following:

 Mailing Search addresses:
It searches the following files for email addresses:
   • html; eml; xls; xml; uin; tbb; dbx; doc; htm; adb; txt

Address generation for FROM field:
To generate addresses it uses the following strings:
   • sandra; mary; bill; toma; linda; stan; mike; anna; adam; maria; rosa;
      stiv; liza; dana; alex

It combines the result with domains that were found in files, which were previously searched for addresses.

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • bitdefend; mailer; podpiska; accoun; listserv; newvir; antivir;
      support; admin; sales; news; info; site; webmaney; drweb; where;
      abuse; rating; the.bat; page; soft; register; notice; help; bugs;
      contact; service; kaspersky; nod32; privacy; webmaster; postmaster;
      rfc-; ripe.; sybari; anyone; mozilla; sendmail; pgp; secur; fido;
      google; .edu; mydomai; gov.; foo.; iruslis; norman; e-trust-; .hlp;
      .gov; nodomai; borlan; hotmail; f-prot; klamav; bitdefen; sopho;
      syman; software.; .mil; panda; msn.; icrosoft; avp

Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • gate.
   • ns.
   • relay.
   • mail1.
   • mxs.
   • mail.
   • mx1.
   • mx.
   • smtp.

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  

   It searches for directories that contain one of the following substrings:
   • upload
   • incomin
   • downloa
   • grokste
   • shar

   If successful, the following files are created:
   • Porno arhive(sex,oral,anal,bdsm).scr
   • Winamp 6 full.exe
   • MS Office XP Crack.exe
   • Crack collection(6 892).exe
   • KAV 5.0x Keygen.exe
   • WinXP SP3 crack.exe
   • MyProxy 7.0x crack.exe

 Process termination Processes with one of the following strings are terminated:
   • filemon.; regmon.; nopdb.; escanhnt.; frw.; upw; rewall; guard.;
      ccapp.; blackd.; sphinx.; maniac.; bscan; protect; suchost.; safe;
      taumon; kerio; blackice; fiaudit.; upgrade; update; alarm; post;
      rising; winit.; symantec; gate; kav; mcafee; nav; luall.; rweb; duba;
      svchosl.; avmon

 Backdoor The following port is opened:

%malware execution directory%\%executed file% on TCP port 7312 in order to provide backdoor capabilities.

 Miscellaneous It creates the following Mutex:
   • -= KiPiSh - GFxPRO - 0x1.0 =-

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • FSG

Description inserted by Irina Boldea on Monday, August 14, 2006
Description updated by Irina Boldea on Tuesday, August 15, 2006

Back . . . .