Installation and Autostart Technique
This worm drops the following files:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
As a result, malicious routines of the dropped files may be exhibited on the affected system. It sets the attributes of its dropped files to the following:
This worm creates the following registry entry to enable its automatic execution at every system startup:
kvasoft = "%System%\kva8wr.exe"
This worm injects threads into several normal processes. It deletes itself after execution.
Propagation via Physical/Removable/Floppy Drives
This worm drops the following copy of itself in all physical and removable drives:
It drops an AUTORUN.INF file in all physical drives to automatically execute dropped copies when the drives are accessed. The AUTORUN.INF file contains the following strings:
Analysis By: Marfel Tiamzon