Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Ketawa.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Ketawa.A carries out the following actions:

  • When it is run, the following Internet Explorer window is displayed:

    Internet Explorer window displayed by Ketawa.A

    The content of the document is a funny story in Indonesian.
  • It modifies the configuration of the screensaver in such a way that:
    - whenever it is activated, the username and password is required in order to log in.
    - the waiting time of its activation is reduced.
    - the file that is run whenever it is activated is a copy of Ketawa.A.
  • It prevents the hidden files from being viewed.

Infection strategy 

Ketawa.A creates the following files:

  • NETMMC.EXE, PIPES.SCR and TOOTSMAN.EXE, in the Windows directory. These files are copies of the Trojan.
  • BINARY-VALUE.BAT, in the Startup directory. This file runs MONTHYEAR.REG.
  • MONTHYEAR.REG, in the Windows directory and SPY.REG, in the Windows system directory. These files create the Windows Registry entries so that the copies of the Trojan are run.
  • FLOWER.REG, in the subfolder SYSTEM of the Windows directory. It modifies the Windows Registry entries related with the screensaver.
  • SHOW_SCREEN.REG, in the subfolder SYSTEM of the Windows directory. This file opens the document where the text in Indonesian is displayed.
  • KETAWA_SAMPE_MABOK.HTM, in the subfolder WEB of the Windows directory. This file belongs to the document in Indonesian.

 

Ketawa.A creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    user = tootsman.exe
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    current = netmmc.exe
    By creating these entries, Ketawa.A ensures that is run whenever Windows is started.

 

Ketawa.A modifies the following entries from the Windows Registry:

  • HKEY_CURRENT_USER\ Control Panel\ Desktop
    ScreenSaverIsSecure = 1
    It changes this entry to:
    HKEY_CURRENT_USER\ Control Panel\ Desktop
    ScreenSaverIsSecure = 0
    This way, Ketawa.A modifies the configuration of the screensaver so that when it is activated, the username and password is requested to log in.
  • HKEY_CURRENT_USER\ Control Panel\ Desktop
    ScreenSaveTimeOut = 600
    It changes this entry to:
    HKEY_CURRENT_USER\ Control Panel\ Desktop
    ScreenSaveTimeOut = 180
    By modifying this entry, the waiting time of activation of the screensaver decreases.
  • HKEY_CURRENT_USER\ Control Panel\ Desktop
    SCRNSAVE.EXE = logon.scr
    It changes this entry to:
    HKEY_CURRENT_USER\ Control Panel\ Desktop
    SCRNSAVE.EXE = pipes.scr
    This way, the file PIPES.SCR, which is a copy of itself, is run whenever the screensaver is activated.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 1
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 2
    By modifying this entry, Ketawa.A prevents the hidden files from being viewed.

Means of transmission 

Ketawa.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Ketawa.A is written in the programming language Visual Basic v6.0. This Trojan is 77,824 bytes in size.