Effects 

Ketawa.A carries out the following actions:

• When it is run, the following Internet Explorer window is displayed:
  
  
  
  The content of the document is a funny story in Indonesian.
• It modifies the configuration of the screensaver in such a way that:
  - whenever it is activated, the username and password is required in order to log in.
  - the waiting time of its activation is reduced.
  - the file that is run whenever it is activated is a copy of Ketawa.A.
• It prevents the hidden files from being viewed.

Infection strategy 

Ketawa.A creates the following files:

• NETMMC.EXE, PIPES.SCR and TOOTSMAN.EXE, in the Windows directory. These files are copies of the Trojan.
• BINARY-VALUE.BAT, in the Startup directory. This file runs MONTHYEAR.REG.
• MONTHYEAR.REG, in the Windows directory and SPY.REG, in the Windows system directory. These files create the Windows Registry entries so that the copies of the Trojan are run.
• FLOWER.REG, in the subfolder SYSTEM of the Windows directory. It modifies the Windows Registry entries related with the screensaver.
• SHOW_SCREEN.REG, in the subfolder SYSTEM of the Windows directory. This file opens the document where the text in Indonesian is displayed.
• KETAWA_SAMPE_MABOK.HTM, in the subfolder WEB of the Windows directory. This file belongs to the document in Indonesian.

Ketawa.A creates the following entries in the Windows Registry:

• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  user = tootsman.exe
• HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
  current = netmmc.exe
  By creating these entries, Ketawa.A ensures that is run whenever Windows is started.

Ketawa.A modifies the following entries from the Windows Registry:

• HKEY_CURRENT_USER\ Control Panel\ Desktop
  ScreenSaverIsSecure = 1
  It changes this entry to:
  HKEY_CURRENT_USER\ Control Panel\ Desktop
  ScreenSaverIsSecure = 0
  This way, Ketawa.A modifies the configuration of the screensaver so that when it is activated, the username and password is requested to log in.
• HKEY_CURRENT_USER\ Control Panel\ Desktop
  ScreenSaveTimeOut = 600
  It changes this entry to:
  HKEY_CURRENT_USER\ Control Panel\ Desktop
  ScreenSaveTimeOut = 180
  By modifying this entry, the waiting time of activation of the screensaver decreases.
• HKEY_CURRENT_USER\ Control Panel\ Desktop
  SCRNSAVE.EXE = logon.scr
  It changes this entry to:
  HKEY_CURRENT_USER\ Control Panel\ Desktop
  SCRNSAVE.EXE = pipes.scr
  This way, the file PIPES.SCR, which is a copy of itself, is run whenever the screensaver is activated.
• HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
  Hidden = 1
  It changes this entry to:
  HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
  Hidden = 2
  By modifying this entry, Ketawa.A prevents the hidden files from being viewed.

Means of transmission 

Ketawa.A does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, floppy disks, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.

Further Details  

Ketawa.A is written in the programming language Visual Basic v6.0. This Trojan is 77,824 bytes in size.