The Kenety worm is taking advantage of a software bug

Kenety seeks to exploit a vulnerability in a popular application as it spreads by attacking PCs through a vulnerability in RealVNC software.

After disabling Windows' built-in firewall, the Kenety worm attempts to infect additional computers by exploiting a vulnerability in RealVNC. If that doesn't work for him, he won't give up, as he will try to connect to RealVNC based on a predefined password list.

The main threat of the worm is to open a backdoor on infected computers through which attackers can perform the following actions:
- update the worm
- download and run files
- Start FTP server.

When the Kenety worm starts, it performs the following actions:

1. Create the following file:
% ProgramFiles% \ Common Files \ Systemdata \ svchost.exe

2. Modifies the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HaredAccess\Parameters\FirewallPolicy\StandardProfile\Auth orizedApplications\List”%ProgramFiles%\Common Files\Systemdata\svchost.exe” = “%ProgramFiles%\Common Files\Systemdata\svchost.exe: *:Enabled:synchronization”

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Share dAccess\Parameters\FirewallPolicy\StandardProfile\Authoriz edApplications\List”%ProgramFiles%\Common Files\Systemdata\svchost.exe” = “%ProgramFiles%\Common Files\Systemdata\svchost.exe: *:Enabled:synchronization”

This disables the built-in Windows Firewall.

3. Creates a service called Sync.

4. Creates the following entries in the registration database:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ S ysdate
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Sysda te

5. It opens a backdoor through TCP port 8888 and then connects to remote servers.

6. Waiting for attackers' orders.

7. RealVNC is trying to spread by exploiting one of the authentication vulnerabilities. If this fails, it will try to connect to RealVNC applications based on a predefined password list.