¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Nombre:Worm/Kebede.G.1
Descubierto:02/08/2005
Tipo:Gusano
En circulacin (ITW):No
Nmero de infecciones comunicadas:Bajo
Potencial de propagacin:Medio-alto
Potencial daino:Medio-alto
Fichero esttico:S
Tamao:70.702 Bytes
Suma de control MD5:fa47e6d0af762aaada1c32bd27a8306e
Versin del VDF:6.31.01.46

 General Mtodos de propagacin:
   • Correo electrnico
   • Peer to Peer


Alias:
   •  Kaspersky: Email-Worm.Win32.Kebede.g
   •  TrendMicro: WORM_KEDEBE.E
   •  Sophos: W32/Kedebe-E
   •  Eset: Win32/VB.AJ
   •  Bitdefender: Win32.Kebede.H@mm


Plataformas / Sistemas operativos:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efectos secundarios:
   • Suelta un fichero daino
   • Contiene su propio motor para generar mensajes de correo
   • Reduce las opciones de seguridad
   • Modificaciones en el registro


Inmediatamente despus de su ejecucin, muestra la siguiente informacin:


 Ficheros Se copia a s mismo en la siguiente ubicacin:
   • %SYSDIR%\%ejecutable aleatorio del sistema operativo%



Renombra los siguientes ficheros:

      %WINDIR%\lsass.exe en %WINDIR%\lsasskeb.ede
      %WINDIR%\svchost.exe en %WINDIR%\svchostkeb.ede
      %WINDIR%\Services.exe en %WINDIR%\Serviceskeb.ede
      %SYSDIR%\Explorer.exe en %SYSDIR%\Explorerkeb.ede



Elimina los siguientes ficheros:
   • %PROGRAM FILES%\Norton AntiVirus\IWP\NPFMNTOR.EXE
   • %PROGRAM FILES%\Norton AntiVirus\IWP\IWP.DLL
   • %PROGRAM FILES%\Norton AntiVirus\IWP\SymFwAgt.DLL
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\MailFrontier\AddinMon.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\zlclient.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\email.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\firewall.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\alert.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\filter.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\programs.zap
   • %PROGRAM FILES%\Symantec\SYMEVENT.SYS
   • %PROGRAM FILES%\Norton AntiVirus\OPSCAN.EXE
   • %PROGRAM FILES%\microsoft antispyware\gcasservalert.exe
   • %PROGRAM FILES%\microsoft antispyware\giantantispywareupdater.exe
   • %PROGRAM FILES%\microsoft antispyware\gcasnotice.exe



Crea el siguiente fichero:

%SYSDIR%\%serie de caracteres aleatorios de tres dgitos%log.exe Adems, el fichero es ejecutado despus de haber sido creado. Los anlisis adicionales indicaron que este fichero es tambin viral. Detectado como: TR/Kebede.F

 Registro Aade la siguiente clave del registro para ejecutar el proceso al iniciar el sistema:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • "Anti-Virus Product Sync(%SYSDIR%\ %serie de caracteres aleatorios de tres dgitos%log.exe)"="%SYSDIR%\ %serie de caracteres aleatorios de tres dgitos%log.exe"



Aade las siguientes claves al registro:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "Run"="%SYSDIR%\ %ejecutable aleatorio del sistema operativo%"

HKLM\Software\Microsoft\MediaPlayer\Player
   • "Player Already Configured"="True"

 Correo electrnico Incluye un motor SMTP integrado para enviar mensajes. Establecer una conexin con el servidor de destinacin. Las caractersticas se describen a continuacin:


De:
La direccin del remitente es falsa.
Direcciones generadas. Por favor no piense que ha sido la intencin del remitente enviarle este mensaje de correo. Es posible que dicho remitente no est al tanto de la infeccin o no est infectado. Adems, es posible que usted reciba mensajes devueltos, indicndole que est infectado. Esto tambin podra ser falso.


Para:
– Direcciones de correo encontradas en ficheros especficos del sistema.
 Direcciones de correo recolectadas de WAB (La libreta de direcciones de Windows - Windows Address Book)


Asunto:
Uno de los siguientes:
   • let's chat here...; I'm going to somewhere; Re: hi; **IMPORTANT** You
      Won Diversity Visa Lottery!; [Subject Hidden]; PaRtY tonight??!; ANTI;
      **URGENT** Microsoft Windows Automatic Update disabled.; Fw: Fw: Osama
      bin Laden has been arrested!; **WARNING** Your Internet Information;
      **WARNING** Your Internet account has been suspended.; Password; WE
      NEED TO TALK.; ANTS; **WARNING** A Worm on Michael Jackson's Death.;
      Fw: Fw: The SECRET behind John Paul's death; John Paul's death and the
      doctors...; **Breaking News** Author of MyDoom has been ARRESTED!; FOR
      GIRLS ONLY!!, Boys; Make sure u are alone; J Lo with no closes ON!!;
      Re: It seems a good day!!; FOR THE LAST TIME!!; Your chat room friend;
      RE: the document; **WARNING** Account Currently Disabled.; Welcome
      back!!; **ALERT**; Partnership; Your request; ALERT; [New message
      available]; Re: r u there; Microsoft Introducing Windows Long Horn



El cuerpo del mensaje:
El cuerpo del mensaje es uno de los siguientes:

   • Attached is a confidential information about the Webs you browsed. The list was logged since 2004.

   • Big day huh! What a great surprise! I've just read on Arab site that Osama bin Laden has been arested by the US soldiers. It's lot to talk here. I just copied the whole text in Notepad and attached it. Nice news huh?!

   • Your IP was logged because you accessed porn related sites. Attached is list of sites you visited and information about your Internet account.

   • I'm back with the password. Hit me back

   • Call me when you finish reading the document

   • I don't know how to say it, but it is really annoying thing that happened on John Paul the 2nd. He was killed by two 'doctors' who were hired by some security firms. The text attached contains all the story behind his death.Please, try to forward this document to all your relatives and reveal the truth.

   • Hey we need to talk. Read the attachment and hit me back

   • This is for the last time. Answer me.

   • i have found a new chat rooms, see you there.

   • someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.

   • Microsoft is proud to announce the latest version of Windows-Long Horn. What make this version specialis that it is the only Microsoft's product with component's source code available to 3rd party. Full documentation is attached document. We have also included Windows Media Player 10's source code.
     Microsoft Corporation (c) 1993 - 2006

   • > Please send me that document, thanx
     I have attached it :)

   • hey it's me from the chat room, remember? anyway I've sent u my pic. let me know wussup.

   • I'm on vacation, what about you? Check out my girl, N-A-K-E-D!!

   • HeEeLLLoOoOoO! Party tonight???!!! Let me KnOw what's up.

   • A new Worm is spreading by using Michael Jackson's death. After the death of the famous pop star, Michael Jackson, during the acciedent yesterday, new computer Worms appeared to use the news as a subject, said Graham Cluley, senior technology consultant.
     To unregister, just go to http://www.bbc.co.uk/ at Sophos.This Worm has 10 different subjects which made it spread widely. All the characterstics of the e-mail are attached in text document.
     System and server administrators are advised to read/know the characterstics of the Worm, urges Sophos. Sophos would also like to express its grief about the pop star's death.
     
     ++Scanner: Sophos Anti-virus
     Sophos Internet Worm Protection Center.
     ++Attachment: No Virus Found(Clean text document)

   • Microsoft has just annouced the arrest of the author of the Internet Worm MyDoom. Microsoft says, Someone
     sent us an e-mail that has a document about the location where the author live. Even though the information true and led us to the arrest of the author, the sender didn't mention about himself so that we are unable to give him the $500,000 reward. And the author of MyDoom has be found to be a former Microsoft's employee fired becuase of his discipline. Now Microsoft and SCO are confused to whom to give the reward.
     Microsoft has also released a new form that the sender can fill in and take the money. The sender is urged to send his/her post address to Microsoft or SCO using the attached form.

   • [DOCUMENTS AVAILABLE]

   • Are you alone? The have fun ;)

   • This message was sent because of your registration at:http://www.bbc.co.uk/breakingnews_alert/mydoom/tmplt.cgi?t=re49358aa3aae77ab0dc382;act=SF;f=

   • [The mail client could not display the picture due to high resolution on the graphics.
     Contents has been attached as a hexadecimal text.]

   • you again!! c ya!

   • This message was sent automatically from the Microsoft Windows Update Web site.

   • You will not be able to log on to your account anymore. See the attac/

   • We were waiting for u! Group pic is available.

   • no hay sitio para ...!!

   • Subject: the document

   • [BODY REMOVED]

   • [ATTACHED]

   • You have won this year's diversity visa lottery. We reommend you to start the process as soon as possible. Read the attached document for more information.
     The Visa Lottery Commite.

   • \xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e

   • We have found that Windows Automatic Update is not enabled on your computer and Windows could not update itself. This may have happened because your system is infected with a latest virus. We recommend you to download updates manually and install on your system. We have sent you Microsoft Windows Malicious Software Removal Tool. Scan your
     system with this software and delete any file detected as virus. Then try to update Windows.


Archivo adjunto:
El nombre del fichero adjunto es uno de los siguientes:
   • Account.doc; attached_document.doc; Bin_Laden_Arrested.txt; body.txt;
      boys.txt; characters.txt; chat_server; chat_server.txt; contents.txt;
      ditail.txt; document.doc; files.txt; Hex_Pic.doc; Hex_Picture.txt;
      Important.doc; Info.txt; JohnPaul.txt; JohnPaul_Death.Doc;
      message.doc; messaggio.doc; microsoft.doc; Microsoft_form.doc;
      my_girl.jpg; my_pics.jpeg; my_pictur.jpeg; party_location.txt;
      password.doc; photo.jpg; Removal_tool; Sex stories.txt; True_Ezin.doc;
      where_the_party_is.doc; with_this_girl.jpg; worm_characters.txt;
      you_lied.txt; your_document.doc

El archivo adjunto es una copia del propio programa malicioso.



El mensaje de correo se ve as:


 Envio de mensajes Busca direcciones:
Busca direcciones de correo en los siguientes ficheros:
   • .htm; .wab; .txt; .eml; .dbx; .doc; .rtf; .jsm; .php; .htm; .htm;
      .nws; .msg; .stml; .inbox; .outbox; .oft; .xml


Creacin de direcciones para el campo DE (remitente):
Para generar direcciones, emplea los siguientes textos:
   • administrator; Diversity Visa Lottery ;
      information@diversityvisa.org; Mail Administraor       Delivery Subsystem       ; Microsoft Windows Update
      ; Post Master       postoffice; update@microsoft.com; windows@microsoft.com;
      bugonyourwork@yahoo.com; stan; bill; bob; jack; fred; ted; kevin;
      david; george; sami; andrew; jose; maria; mary; ray; tom; peter; john;
      daniel; alex; michael; james; mike; robert; jane; joe; bini; dave;
      matt; steve; smith; debby; helen; jerry; jimmy; brenda; claudia;
      sandra; calvin; christoph; julie; linda; adam; brent; alice; anna

Combina este resultado con los dominios encontrados en los ficheros donde ha buscado direcciones anteriormente.


Evita las direcciones:
No enva mensajes de correo a las direcciones que incluyen las siguientes series de caracteres:
   • sophos; @syman; norton; example; rating; .gov; submit; kasper; antivi;
      abuse; domain.; spam; @mm; announce; @from; kernel.; sql.; zone;
      privacy; support; your; master@; you@; panda; mozilla; linux;
      detection; bitdefender; mcafee; @www; anyone; anywhere; somebody;
      someone; subscri; freeav; free-av; registe; report; name@; admin;
      spybot; nobody; help; secur; service; gmail.; sun.; info@; java.;
      smtp.; sales@; foo.; feedback; @nai; noreply; receiver@; messagelab;
      virus; winzip; msdn.; winrar; accoun; borlan; contact; soft.; comment;
      mailer-daemon; sender@; remail; user@; password; avp; me@; .mil;
      @trend


Prefijar los dominios de las direcciones de correo:
Para obtener la direccin IP del servidor de correo, aade los siguientes prefijos al nombre del dominio:
   • sparrow.; .net.et; telecom; mx.; mx1.; mail.; mx1.mail.; smtp.; ns.;
      relay.; gate.; inbound.; public.; relay1.; mail1.; smtp1.; mta.; mx2.;
      dns.; mx3.; a.mx.; dns1.; mx0.; ms.; mx4.; mx5.; mx6.; mx7.; mx8.;
      smtp2.; mail2.; mail3.; mail4.; mail5.; mail12.; mailserver.; b.mx.;
      e.mx.; gateway.; mx00.; mx01.; mx02.; mx03.; mx04.; mx05.; mx06.;
      mx07.; mx08.; www.; www.email.; ns1.; ns2.; ns3.; dns2.; mail-relay.;
      smtp-relay.; webmail.; ms1.; ms2.; ms3.; freemail.; inbound0.;
      inbound1.; udi; inbound2.; mx2.mail.; mx3.mail.; pop.

 P2P Para infectar otros sistemas de las redes Peer-to-Peer, realiza las siguientes operaciones:


   Busca directorios que contengan una de las siguientes subseries de caracteres:
   • shared
   • downloaded

   Al tener xito, crea los siguientes ficheros:
   • spyware remover.com; school girls getting fucked.com; norton personal
      firewall 2005 patch.com; turbo c++.pif; zonealarm security suite 2005
      crack.com; windows xp pro bug fix 2.com; win server 2003 remote
      exploit.cmd; sasser removal tool.com; microsoft antispyware patch.com;
      dvd ripper keygen.com; naked girls screen saver.scr; porn download
      links.txt; sasser source code.txt; msn messenger 7.0 installer.com;
      sasser source code.sfx.com; winrar 4.2.com; internet explorer 7.0
      installer.com; flash mx 2005 serial.exe; upx exe packer 2.4.com;
      w32.kebede removal tool.com

   Estos ficheros son copias del programa malicioso.

 Informaciones diversas Objeto mutex:
Crea los siguientes objetos mutex:
   • -oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • Zone Alarm Mutex
   • AdmSkynetJKIS003
   • qwedefacedRDE
   • ____--->>>>U<<<<--_____
   • SwebSipcSmtxS0
   • NTShell Taskman Startup Mutex
   • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • 43jfds93872
   • H-E-L-L-T-O-B
   • SkynetSasserVersionWithPingFast
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • WWWdefacedWWW
   • LK[SkyNet.cz]SystemsMutex
   • SkyNet-Sasser
   • H-e-l-l-B-o-t-3-T-e-a-M!!!
   • H-e-l-l-B-o-t
   • H-e-l-l-B-o-t-3
   • NetDy_Mutex_Psycho
   • 89845848594808308439858307378280987074387498739847
   • AdmMoodownJKIS003
   • SkYnEt_AVP
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
   • ~~~Bloodred~~~owns~~~you~~~xoxo~~~2004
   • Protect_USUkUyUnUeUtU_Mutex
   • DrDetroit[Bloodred.B]
   • MI[SkyNet.cz]SystemsMutex
   • FAST[Kebede.E]FAST

 Datos del fichero Lenguaje de programacin:
El programa de malware ha sido escrito en Visual Basic.


Programa de compresin de ejecutables:
Para agravar la deteccin y reducir el tamao del fichero, emplea el siguiente programa de compresin de ejecutables:
   • UPX

Descripción insertada por Irina Boldea el lunes 27 de marzo de 2006
Descripción actualizada por Andrei Ivanes el miércoles 29 de marzo de 2006

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.