Panda Software Reports the Appearance of a New Worm/Trojan: Kazoa.C, alias Gool

- Programmed in Delphi, it affects Windows XP/2000 Pro/NT/Me/98/95 and spreads through the popular KaZaA application and through IRC
- It creates copies of itself in files some of which suggest they contain erotic photos of famous people like
Catherine Zeta Jones, Pamela Anderson, or Sandra Bullock

Panda Software, leading antivirus developer, has reported the appearance of Kazoa.C, alias Gool, a new worm/Trojan programmed in Delphi, which spreads through the popular file sharing application KaZaA and through the chat program IRC. It affects Windows XP/2000 Pro/NT/Me/98/95 and when installed on the affected computer, it changes entries in the Windows Registry in order to ensure that it is run every time Windows is started up. It also opens a port (usually 31337) and sends out the IP address of the affected computer via the Internet, leaving the computer vulnerable to remote attacks. An attacker would be able to carry out the following actions on the affected computer:

- Send messages
- Hide the Taskbar that appears on the desktop
- Delete the CMOS
- Provoke an error in the computer
- Use up memory
- Handle and send files
- Capture screens and keystrokes
- Obtain data on the operating system and characteristics of the machine.

Kazoa.C, alias Gool, modifies the default shared file folder in the application KaZaA and creates a large number of files, which contain the worm's code, with names like Catherine Zeta Jones, Pamela Anderson, Sandra Bullock, Shakira or Pokemon. This worm tries to trick users into running these files by suggesting that they contain erotic photos, cracks for hacking operating systems etc. These files always have a double extension, but the real extension is .exe. If a computer is not configured to show all file extensions, these icons will be displayed as inoffensive jpg or ..txt files.

When the executable file is run (by double-clicking on the icon), Kazoa.C displays a screen

If this malicious code detects that processes belonging to certain antivirus, security and system programs are active, it ends them.

Is my computer infected by Kazoa.C?

In order to find out if your computer is infected, check if the following files are in the Windows system directory:

- EXPLORER.EXE
- Explorer.VBS
- RealWayToHack.exe

You also need to check if the following entries have been inserted in the Windows Registry:

- HKLMSoftwareMicrosoftWindowsCurrentVersionRun=Registry"%sysdir%EXPLORER.EXE"
- HKCUSoftwareMicrosoftInternetExplorerMain"RegisteredOrganization" = >

How to protect your computer from Kazoa.C

The best way to protect your computer against viruses, worms and Trojans is to install a good antivirus, keep it updated and enable the permanent protection.

If you have a firewall installed, block the port used by W32/Kazoa.C.

How to remove this worm/Trojan from affected computers

If your computer is infected follow the steps below:

- Update your antivirus. If you are a Panda Software client, you can do this from the following address: http://www.pandasoftware.com/downloads

- Delete the entries the worm has inserted in the Windows Registry.

- Restart the computer and carry out a full scan.

Panda Software antivirus solutions detect and eliminate Kazoa.C. Similarly, the free, online antivirus Panda ActiveScan, which is available on the company's website (www.pandasoftware.com >) can also detect and eliminate this and many other viruses. More detailed information about this worm is available in Panda Softwares Virus Encyclopedia.