Aliases: Win32.Killis.a, W32/Killis, PE_ALLIS.A, Win32.Killis
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: N/A
Geographical info: North America
Removal: N/A
Platform: W32
Discovered: 01 Oct 2004
Damage: N/A

Characteristics: The polymorphic direct infector virus called W32.Killis infects Windows executable files. This particular virus infects existing files and corrupts them. When the virus is executed, it looks for files with the extensions "*.ex" or ".sc*" under the Current Directory, Windows Directory (C:\Windows), and System Directory (C:\Windows\Sytem32).

More details about W32.Killis

The virus W32.Killis, a polymorphic direct infector virus, infects existing files and then corrupts them. When the virus is run, it searches for files with the extensions "*.ex" or ".sc*" under the directories: Current Directory, Windows Directory (C:\Windows), and System Directory (C:\Windows\Sytem32). When the virus finds these files, it appends a copy of itself to the end of the file. The virus overrides the original file’s entry point to jump the virus body. The virus modifies the host file causing the infected files to no longer run as usual. In addition, a bug in the injected virus code makes these files terminate abnormally when executed. Symptoms of the virus include the abnormal termination of files existing in the directories: Windows Directory, typically C:\Windows, System Directory, and C:\Windows\Sytem32.

Once the W32.Killis program has gained access to a computer, it replicates itself as an executable file and mounts itself invisibly into the system directory. This worm variant creates various entries and subkeys into the computer’s registry in order for it to run each time its victim’s computer boots up. Aside from replicating itself, the W32.Killis program also performs other activities including installation of rootkits to hide some files and running processes from being seen and detected by the user. Some of these files include a peer-to-peer client. This e-mail borne worm is also capable of forcing an infected computer to be included in criminal activities as a member or element of a botnet that can then halt the Internet or network connection of certain machines by swarming them with too much data requests.