Virus:Worm/Kebede.K
Date discovered:14/04/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:43.521 Bytes
MD5 checksum:6e4c8509f235b08df0977943cf627df1
VDF version:6.34.00.185

 General Method of propagation:
   • Email


Aliases:
   •  Kaspersky: Email-Worm.Win32.Kebede.k
   •  TrendMicro: WORM_KEBEDE.E
   •  Bitdefender: Win32.Kebede.K@mm


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a file
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification


Right after execution it runs a windows application which will display the following window:


 Files It copies itself to the following location:
   • %SYSDIR%\updtscheduler.exe



It deletes the following files:
   • %WINDIR%\srchasst\mui\0409\lcladvdf.xml
   • %WINDIR%\srchasst\mui\0409\balloon.xsl
   • %WINDIR%\srchasst\mui\0409\bar.xsl



The following file is created:

– Non malicious file:
   • %malware execution directory%\%executed file%.txt




It tries to download a file:

– The location is the following:
   • http://www.geocitites.com/kbdbugchk/dwnld/**********
It is saved on the local hard drive under: %TEMPDIR%\file.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing it was an updated version of the malware itself.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
   • Run = %SYSDIR%\updtscheduler.exe



One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • *Software Update Scheduler = %SYSDIR%\updtscheduler.exe
   • *Software Update Checker = %SYSDIR%\updtscheduler.exe
   • *Software Update Monitor = %SYSDIR%\updtscheduler.exe
   • *Software Update Initializer = %SYSDIR%\updtscheduler.exe
   • *Windows Software Update Scheduler = %SYSDIR%\updtscheduler.exe
   • *Windows Software Update Checker = %SYSDIR%\updtscheduler.exe
   • *Windows Software Update Monitor = %SYSDIR%\updtscheduler.exe
   • *Windows Software Update Initializer = %SYSDIR%\updtscheduler.exe
   • Microsoft Windows Software Update Scheduler = %SYSDIR%\updtscheduler.exe
   • Microsoft Windows Software Update Checker = %SYSDIR%\updtscheduler.exe
   • Microsoft Windows Software Update Monitor = %SYSDIR%\updtscheduler.exe
   • Microsoft Windows Software Update Initializer = %SYSDIR%\updtscheduler.exe

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender of the email is one of the following:
   • hostmaster@%recipient's domain%
   • administrator@%recipient's domain%
   • webmaster@%recipient's domain%
   • postmaster@%recipient's domain%


To:
– Email addresses found in specific files on the system.
– Gathered addesses by contacting search engines
– The following email address:
   • kdgbugchk@yahoo.com


Subject:
One of the following:
   • **MAIL ERROR**
   • Delivery Status Notification(failure)
   • Internal Mail Server Error
   • Mail Error: Server unavailable

The body of the email is one of the following:

   • Unexpected error occured while delivering your message. See the transcript.

   • Unhandled error occured. See log file in the attachment.

   • Unexpected end of header found. As a result, we are unable to decode the message. Partial decoded message available.

   • Error: Server not responding. See the attached printable document.

   • %receiver's email address% mail session 220334 http://www.%recipient's domain%/sessionid.cgi?okssid23234=r has expiered. Your status is attached.


Attachment:
The filenames of the attachments is constructed out of the following:

   • report.doc
   • log.txt
   • error.doc
   • partial_body
   • status.txt
   • %username from receiver's email address%_details

Sometimes continued by one of the following:
   • %empty spaces%

    The file extension is one of the following:
   • .scr
   • .pif
   • .cmd
   • .com
   • .bat
   • .zip



The email may look like one of the following:



 Mailing Search addresses:
It searches the following files for email addresses:
   • htm; dbx; wab; txt; eml; doc; css; rtf; js; php; asp; cgi; xhtm; vcf;
      xml; nws; msg; stml; inbox; oftw; phtm; xsl; dhtm; shtm; pab


Search Engine:
In order to gather more email addresses it contacts the following search engine:
   • email.people.yahoo.com



Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • sopho; unix; @google; spm; @syman; norto; example; rating@; .gov;
      submit; kasper; abuse; domain.; spam; @mm; announce; @from; kernel.;
      sql.; zone; privacy; support; your; master@; you@; mozilla; linux;
      detect; bitdefender; mcafee; www; anyone; anywhere; somebody; someone;
      subscri; freeav; drweb; registe; report; name@; admin; spybot; nobody;
      help; secur; service; gmail.; sun.; info@; java.; smtp; sales@; foo.;
      feedback; @nai; noreply; receiver@; messagelab; virus; winzip; msdn.;
      winrar; accoun; borlan; contact; soft.; comment; pandasof;
      mailer-daem; sender@; remail; user@; password; @avp; me@; .mil;
      @trend; bugs; berkeley.; no-reply; spyware; resear; scan; news; wab;
      online; @ca.; update; esafe; commandc; cai.; ikaru; irisav;
      networkass; @drsolom; norman; @novast; rg-av.; thunderbyte.; mit.ed;
      office@; upgrade; sarc.; aol.


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • mx.
   • mx1.
   • mail.
   • smtp.
   • mx1.mail.
   • ns.
   • relay.
   • gate.
   • inbound.
   • public.

 Process termination  Disallow run processes that contain one of the following strings in the filename:
   • taskmgr.exe
   • regedit.exe
   • tasklist.exe
   • taskkill.exe
   • tskill.exe

 Miscellaneous Mutex:
It creates the following Mutex:
   • [_-ANTI_-_ANTI_-_VIRUS-_]


String:
Furthermore it contains the following string:
   • New author of Kebede!! I took over the whole thing. And we will see you Sober

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Monday, April 17, 2006
Description updated by Andrei Gherman on Tuesday, April 18, 2006

Back . . . .