Summary
Summary
More Information
| Included in our products from | October 2001 (3.50) |
|---|---|
| Detected by | All Sophos products |
More Information
- Summary
- More Information
W32/Petik-K is an email-aware worm which pretends to be connected to the popular French TV show "Loft Story" in an attempt to spread further.
The worm copies itself to the Windows directory as loft_story.exe and to the Windows System directory as loft.exe. It changes WIN.INI so that loft.exe will run automatically each time when Windows is started. It then displays a message box with the title "Loft Story" and the body text "I'm fucking the Loft Story" before quitting.
When run from the Windows System directory, the worm creates the Registry key HKCU\Software\Microsoft\PetiK. It drops loft.htm (which Sophos
When the worm detects an internet connection it displays a message box with the title "Loft Story" and the text "Welcome to Internet !". It will then search for email addresses in *.htm* files in the internet file cache subdirectory and attempt to send itself to those addresses as an email attachment. The email has the following characteristics:
Subject: "Loft Story News..."
Message body: "The last video of the
Attached file: loft_story.exe
On 28th of any month the worm will set the registry keys
HKCU\Software\Microsoft\Internet Explorer
\Main\Start Page = "http://www.loftstory.fr"
HKLM\Software\Microsoft\Windows\CurrentVersion
\RegisteredOrganization= "LoftStory"
HKLM\Software\Microsoft\Windows\CurrentVersion
\RegisteredOwner = "Aziz, Kenza, Loanna, etc..."
It then displays the message "New Worm Internet coded by PetiK (c)2001".
The HTML file dropped by W32/Petik-K is detected by Sophos
HKLM\Software\Microsoft\Windows\CurrentVersion
\Run\ActiveX 1.0 = "C: \ActiveX.vbs"
HKCU\Software\Microsoft\
It will also change the Registry entry for the Internet Explorer start page, setting it to download a VBScript file from http://www.ctw.net.
Note: W32/Petik-K is sometimes confused with the Loft Story hoax.
|
