W32/NSAnti.R is a worm that will infect Windows systems.

Upon execution, it creates the following files:

  • kavo.exe in the Windows System folder,
  • kavo0.dll in the Windows System folder.
  • (RANDOM FILE NAME).dll in the Current User's temp folder.

    • The kavo0.dll file is injected into all running processes.

    The worm then copies itself in the root all drives from C through Z as ntdelect.com.

    It also creates autorun.inf so that ntdelect.com is executed whenever the drive is accessed.

    The worm modifies registry at the following location to load itself during each startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"kava"
  • HKEY_USERS\S-1-5-21-(Random Number)\Software\Microsoft\Windows\CurrentVersion\Run\kava

    • It also modifies the registry at the following locations:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue"
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Hidden"
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden"
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer\"NoDriveTypeAutoRun"

    The worm also attempts to steal sensitive information for online games.

    More information can be found at this Proland Software page.