Name: Worm.Win32.Kilonce. Category: Viruses Description: Details Worm.Win32.Kilonce.a This is Win32 network worm. It spreads over local network through drives shared for full access. The worm itself is a Windows PE EXE file written in Delphi. Depending on its version the worm is about 40Kb (compressed version, UPX compressor used) or 82K (original not compressed EXE file). The worm was found in China in November 2002. The worm has many bugs in its code, and often is not able to spread over the network and activate its payload routines. Installing While installing the worm copies itself with "killonce.exe" name to Windows system directory and to "Recycled" directory on the same drive where Windows is installed. The worm then registers its copies in system registry auto-run key. For example, in case Windows is installed in C:WINDOWS directory, the affected registry keys will look as follows: HKCRexefileshellopencommand "C:\WINDOWS\KILLONCE.EXE "%1" %*" HKCRtxtfileshellopencommand "C:\Recycled\KILLONCE.EXE C:\WINDOWS\NotePad.exe %1" HKLMSoftwareCLASSESexefileshellopencommand "C:\WINDOWS\KILLONCE.EXE "%1" %*" HKLMSoftwareCLASSEStxtfileshellopencommand "C:\Recycled\KILLONCE.EXE C:\WINDOWS\NotePad.exe %1" HKLMSoftwareMicrosoftWindowsCurrentVersionRun KillOnce = "C:\WINDOWS\KILLONCE.EXE" The worm then creates its "EMail" copy in Windows temporary directory. This copy has the "KillOnce.exe.Eml" name and has "true e-mail" format. The From,To,Subject fields and Body are empty. The attached file name is "Explorer.exe" (that is worm copy in MIME envelope), and there is IFrame tag to activate that EXE attach when infected EMail is being opened. Spreading The worm looks for network drives that are opened for full access and copies itself to there with the name: Windowsrundll32.exe in case "Windows" directory presents in there. The original "rundll32.exe" file is renamed by worm to "Run32.exe" name.