Threat behavior
Win32/Wukill creates a copy of itself in the Windows directory and in the root directory of local drives. It also copies itself to root directories where the user browses, including the root on mapped network drives. The worm also spreads by using Outlook to send a copy of itself as an attachment to e-mail addresses found in the Outlook address book.
The worm uses several methods to hide. When a user browses to a folder that contains the worm, the worm can move to another folder to avoid detection. In addition, the worm configures Windows Explorer to hide file extensions and hidden files, and the worm file icon may resemble a Windows folder icon. The deceptive icon and hidden file extension may make it appear safe to open the item; however, doing so runs the worm.
The worm drops a configuration file and script file with attributes hidden and system. Browsing to a folder that contains these files and the worm can cause the worm to run when Windows starts. The worm also modifies a registry key for this purpose.
The worm requires the Visual Basic 6.0 runtime file msvbvm60.dll to infect the computer.
Prevention
Take the following steps to help prevent infection on your system:
-
Enable a firewall on your computer.
-
Get the latest computer updates.
-
Use up-to-date antivirus software.
-
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
-
Click Start, and click Control Panel.
-
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
-
Click Change Windows Firewall Settings.
-
Select On.
-
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
-
Click Start, and click Control Panel.
-
Click System.
-
Click Automatic Updates.
-
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
