Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Virus:W97M/Kukudro.C

Published: June 30, 2006

W97M/Kukudro.C arrives as a macro containing an embedded binary in a Microsoft Word document file. This document file will be detected by the Microsoft AV Engine as W97M/Kukudro.C!CME-136. In Microsoft Word 2003, the macro will not run unless the user has explicitly allowed it or if the user has lowered the default security settings to allow unsigned macros from non-trusted sources to run automatically. In Microsoft Word 97, Microsoft Word 2000, and Microsoft Word 2002, W97M/Kukudro.C exploits a vulnerability which could allow the macro to execute without first seeking permission from the user. A security patch for this vulnerability was provided in June 2001. For further details on the exploit, see Microsoft Security Bulletin MS01-034.
 
If the macro is run, W97M/Kukudro.C drops the embedded binary to C:\mWChEU.exe and executes it. This dropped file is detected as TrojanDownloader:Win32/Small!4978 by the Microsoft AV Engine.

**

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Aliases (Also Known As)Aliases (Also Known As)
Related Security BulletinsRelated Security Bulletins
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected

Threat Overview

Class/typeTrojan - Dropper
DiscoveredJune 28, 2006
CirculatingNo
Affected operating systems
Affected softwareWord 2000
Word 2002
Word 97
Infection ratingLow
Recovery difficultyModerate
Damage ratingMedium
Transmission ratingLow

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

  • CA: W97M/Kukudro.B:trojan
  • Kaspersky: Trojan-Dropper.MSWord.Lafool.j
  • McAfee: W97M/Kukudro.c
  • Panda: W97/Kukudro.C!CME-136
  • Sophos: WM97/Kukudr-Fam
  • Symantec: W97M.Kukudro.A

    • Learn more about the Microsoft Virus Information Alliance.

    Related Security Bulletins

    The following Microsoft Security bulletins are related to this issue:

  • MS01-034 - Malformed Word Document Could Enable Macro to Run Automatically

    • Technical Analysis

    How to Prevent Infection

    How to Prevent Infection

    Take the following steps to help prevent infection on your system:
    • Get the latest computer updates.
    • Enable a firewall on your computer.
    • Use up-to-date antivirus software.
    • Use caution with unexpected attachments.

    Get the latest computer updates

    Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet. To turn on Automatic Updates in Windows XP:
    1. Click Start, and click Control Panel
    2. Click System.
    3. Click Automatic Updates, and select Keep my computer up to date.
    4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

    Enable a firewall on your computer

    Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall. To turn on the Internet Connection Firewall in Windows XP:
    1. Click Start, and click Control Panel.
    2. Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
    3. Highlight a connection that you want to help protect, and click Change settings of this connection.
    4. Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
    5. Click OK.

    Use up-to-date antivirus software

    Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

    Use caution with unexpected attachments

    Exercise caution with attachments received from unknown sources, or attachments received unexpectedly from known sources.  Use extreme caution when accepting file transfers from both known and unknown sources.

    How to Tell If Your Computer Is Infected

    W97M/Kukudro.C drops TrojanDownloader:Win32/Small to the impacted system, which may in turn download and install additional malicious software. If you suspect you have been infected by either of these threats, scan your system with up-to-date antivirus software.

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement