Effects
AutoKitty.A carries out plenty of modifications in the Windows Registry of the affected computer, which have the following consequences:
- It disables the following items:
- Windows Registry Editor.
- Task Manager, which would prevent the user from viewing the processes that are being run.
- Folder options from the Windows Explorer, which prevents the user from accessing the configuration menu of the folders.
- the context menu, that is, the one that appears when right clicking the mouse.
- command shell: CMD.EXE.
- Search option from the Windows Explorer. - It disables the following options from the Start menu:
- Search, which allows files to be searched in a fast and straight way.
- Run, which allows files to be run in a fast and straight way. - It uses several techniques in order to make its detection more difficult:
- It hides the files and folders with hidden attributes.
- It hides the extension of the files.
On the other hand, it carries out these actions:
- It modifies the Internet Explorer start page, changing it to the following:
- It modifies the window title of the Internet Explorer websites, adding the following text:
Yours truly, Kitty Kat - It modifies the characteristics of the system properties:
Infection strategy
AutoKitty.A creates the following files, which are copies of the worm:
- a file with the name with which it has been run, in the folder CACHE of the Windows directory and in the folder Picture, created by itself, of the root directory of all the drives.
- DTSYSTRA.EXE and SYSHOST.EXE, in the folder system of the Windows directory.
- PROMON.EXE and DLCTRL.EXE, in the Windows system directory
- MSSRC.EXE, in the folder drivers of the Windows directory system.
AutoKitty.A creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dlctrl = %sysdir%\dlctrl.exe
where %sysdir% is the Windows system directory. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mssrc = %sysdir%\drivers\mssrc.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
promon =%sysdir%\promon.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dtsystra = %windir%\system\dtsystra.exe
where %windir% is the Windows directory. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
syshost = %windir%\system\syshost.exe
By creating these entries, AutoKitty.A ensures that it is run whenever Windows is started. - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableRegistryTools = 1
It disables the Windows Registry Editor. - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableTaskMgr = 1
It disables the Task Manager. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoRun = 1
It does not display the option Run in the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind = 1
It does not display the option Search in the Start menu. - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFolderOptions = 1
It does not display the option Folder options of the Windows Explorer. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoTrayContextMenu = 1 - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoViewContextMenu = 1
By creating these two entries, it does not display the context menu, that is, the one that appears when right clicking the mouse. - HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
DisableCMD = 1
It disables the command shell. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoRun = 1
It does not display the option Run in the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoFind = 1
It does not display the option Search in the Start menu. - HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
NoShellSearchButton = 1
It does not display the option Search in the Windows Explorer. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft NT\Windows\CurrentVersion\Winlogon
DisableCAD = 1
It disables the option Ctrl+Alt+Supr as a security measure to log in. - HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window Title = Yours truly, Kitty Kat
It modifies the window title of the Internet Explorer websites. - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
EnableBalloonTips = 0
AutoKitty.A creates the following entries in the Windows Registry to disable the firewall of the operating system:
- HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile
DoNotAllowExceptions = 0 - HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile
EnableFirewall = 0
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile
DoNotAllowExceptions = 0 - HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile
EnableFirewall = 0
AutoKitty.A modifies the following entries from the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Internet Explorer\ Main
Start Page = %start page established by the user%
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Internet Explorer\ Main
Start Page = http://www.lyricsandsongs.com/song/759770.html
It modifies the Internet Explorer start page. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = KittyKat - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
ProductId
It changes this entry to:
KEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
ProductId = KITTY-KAT-LOVESSS-YOUUU
By modifying these two entries, it changes the system properties referring to the user name to which the operating system is registered, as well as its product id.
Additionally, it modifies these entries from the Windows Registry, in order to make its detection more difficult:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ Hidden\ SHOWALL
CheckedValue = 1
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ Hidden\ SHOWALL
CheckedValue = 0
It hides the folders with hidden attributes. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ HideFileExt
CheckedValue = 1
It changes this entry to:
HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced\ Folder\ HideFileExt
CheckedValue = 0
It hides the extension of the files.
Means of transmission
AutoKitty.A reaches the computer in a file with the icon of Hello Kitty:
It spreads by making copies of itself in all the system drives available, both mapped and removable drives. Additionally, it creates an AUTORUN.INF file in the root directory of all the drives, so that the worm can be run whenever any of them is accessed.
Further Details
AutoKitty.A is written in the programming language AutoIT. This worm is 1,269,658 bytes in size.