W97M/Kukudro.A arrives as a macro containing an embedded binary in a Microsoft Word document file. This document file will be detected by the Microsoft AV Engine as W97M/Kukudro.A!CME-745. In Microsoft Word 2003, the macro will not run unless the user has explicitly allowed it or if the user has lowered the default security settings to allow unsigned macros from non-trusted sources to run automatically. In Microsoft Word 97, Microsoft Word 2000, and Microsoft Word 2002, W97M/Kukudro.A exploits a vulnerability which could allow the macro to execute without first seeking permission from the user. A security patch for this vulnerability was provided in June 2001. For further details on the exploit, see Microsoft Security Bulletin MS01-034.
If the macro is run, W97M/Kukudro.A drops the embedded binary to C:\666ins_1.exe and executes it. This dropped file is detected as TrojanDownloader:Win32/Small!5C34 by the Microsoft AV Engine.
