¿Necesita ayuda? Pregunte a la comunidad o contrate a un experto.
Ir a Avira Answers
Nombre:Worm/Kebede.G.1
Descubierto:02/08/2005
Tipo:Gusano
En circulación (ITW):No
Número de infecciones comunicadas:Bajo
Potencial de propagación:Medio-alto
Potencial dañino:Medio-alto
Fichero estático:
Tamaño:70.702 Bytes
Suma de control MD5:fa47e6d0af762aaada1c32bd27a8306e
Versión del VDF:6.31.01.46

 General Métodos de propagación:
   • Correo electrónico
   • Peer to Peer


Alias:
   •  Kaspersky: Email-Worm.Win32.Kebede.g
   •  TrendMicro: WORM_KEDEBE.E
   •  Sophos: W32/Kedebe-E
   •  Eset: Win32/VB.AJ
   •  Bitdefender: Win32.Kebede.H@mm


Plataformas / Sistemas operativos:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efectos secundarios:
   • Suelta un fichero dañino
   • Contiene su propio motor para generar mensajes de correo
   • Reduce las opciones de seguridad
   • Modificaciones en el registro


Inmediatamente después de su ejecución, muestra la siguiente información:


 Ficheros Se copia a sí mismo en la siguiente ubicación:
   • %SYSDIR%%ejecutable aleatorio del sistema operativo%



Renombra los siguientes ficheros:

    •  %WINDIR%\lsass.exe en %WINDIR%\lsasskeb.ede
    •  %WINDIR%\svchost.exe en %WINDIR%\svchostkeb.ede
    •  %WINDIR%\Services.exe en %WINDIR%\Serviceskeb.ede
    •  %SYSDIR%\Explorer.exe en %SYSDIR%\Explorerkeb.ede



Elimina los siguientes ficheros:
   • %PROGRAM FILES%\Norton AntiVirus\IWP\NPFMNTOR.EXE
   • %PROGRAM FILES%\Norton AntiVirus\IWP\IWP.DLL
   • %PROGRAM FILES%\Norton AntiVirus\IWP\SymFwAgt.DLL
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\MailFrontier\AddinMon.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\zlclient.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\email.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\firewall.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\alert.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\filter.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\programs.zap
   • %PROGRAM FILES%\Symantec\SYMEVENT.SYS
   • %PROGRAM FILES%\Norton AntiVirus\OPSCAN.EXE
   • %PROGRAM FILES%\microsoft antispyware\gcasservalert.exe
   • %PROGRAM FILES%\microsoft antispyware\giantantispywareupdater.exe
   • %PROGRAM FILES%\microsoft antispyware\gcasnotice.exe



Crea el siguiente fichero:

%SYSDIR%%serie de caracteres aleatorios de tres dígitos%log.exe Además, el fichero es ejecutado después de haber sido creado. Los análisis adicionales indicaron que este fichero es también viral. Detectado como: TR/Kebede.F

 Registro Añade la siguiente clave del registro para ejecutar el proceso al iniciar el sistema:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • "Anti-Virus Product Sync(%SYSDIR%\ %serie de caracteres aleatorios de tres dígitos%log.exe)"="%SYSDIR%\ %serie de caracteres aleatorios de tres dígitos%log.exe"



Añade las siguientes claves al registro:

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "Run"="%SYSDIR%\ %ejecutable aleatorio del sistema operativo%"

– HKLM\Software\Microsoft\MediaPlayer\Player
   • "Player Already Configured"="True"

 Correo electrónico Incluye un motor SMTP integrado para enviar mensajes. Establecerá una conexión con el servidor de destinación. Las características se describen a continuación:


De:
La dirección del remitente es falsa.
Direcciones generadas. Por favor no piense que ha sido la intención del remitente enviarle este mensaje de correo. Es posible que dicho remitente no esté al tanto de la infección o no esté infectado. Además, es posible que usted reciba mensajes devueltos, indicándole que está infectado. Esto también podría ser falso.


Para:
– Direcciones de correo encontradas en ficheros específicos del sistema.
– Direcciones de correo recolectadas de WAB (La libreta de direcciones de Windows - Windows Address Book)


Asunto:
Uno de los siguientes:
   • let's chat here...; I'm going to somewhere; Re: hi; **IMPORTANT** You
      Won Diversity Visa Lottery!; [Subject Hidden]; PaRtY tonight??!; ANTI;
      **URGENT** Microsoft Windows Automatic Update disabled.; Fw: Fw: Osama
      bin Laden has been arrested!; **WARNING** Your Internet Information;
      **WARNING** Your Internet account has been suspended.; Password; WE
      NEED TO TALK.; ANTS; **WARNING** A Worm on Michael Jackson's Death.;
      Fw: Fw: The SECRET behind John Paul's death; John Paul's death and the
      doctors...; **Breaking News** Author of MyDoom has been ARRESTED!; FOR
      GIRLS ONLY!!, Boys; Make sure u are alone; J Lo with no closes ON!!;
      Re: It seems a good day!!; FOR THE LAST TIME!!; Your chat room friend;
      RE: the document; **WARNING** Account Currently Disabled.; Welcome
      back!!; **ALERT**; Partnership; Your request; ALERT; [New message
      available]; Re: r u there; Microsoft Introducing Windows Long Horn



El cuerpo del mensaje:
El cuerpo del mensaje es uno de los siguientes:

   • Attached is a confidential information about the Webs you browsed. The list was logged since 2004.

   • Big day huh! What a great surprise! I've just read on Arab site that Osama bin Laden has been arested by the US soldiers. It's lot to talk here. I just copied the whole text in Notepad and attached it. Nice news huh?!

   • Your IP was logged because you accessed porn related sites. Attached is list of sites you visited and information about your Internet account.

   • I'm back with the password. Hit me back

   • Call me when you finish reading the document

   • I don't know how to say it, but it is really annoying thing that happened on John Paul the 2nd. He was killed by two 'doctors' who were hired by some security firms. The text attached contains all the story behind his death.Please, try to forward this document to all your relatives and reveal the truth.

   • Hey we need to talk. Read the attachment and hit me back

   • This is for the last time. Answer me.

   • i have found a new chat rooms, see you there.

   • someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.

   • Microsoft is proud to announce the latest version of Windows-Long Horn. What make this version specialis that it is the only Microsoft's product with component's source code available to 3rd party. Full documentation is attached document. We have also included Windows Media Player 10's source code.
     Microsoft Corporation (c) 1993 - 2006

   • > Please send me that document, thanx
     I have attached it :)

   • hey it's me from the chat room, remember? anyway I've sent u my pic. let me know wussup.

   • I'm on vacation, what about you? Check out my girl, N-A-K-E-D!!

   • HeEeLLLoOoOoO! Party tonight???!!! Let me KnOw what's up.

   • A new Worm is spreading by using Michael Jackson's death. After the death of the famous pop star, Michael Jackson, during the acciedent yesterday, new computer Worms appeared to use the news as a subject, said Graham Cluley, senior technology consultant.
     To unregister, just go to http://www.bbc.co.uk/ at Sophos.This Worm has 10 different subjects which made it spread widely. All the characterstics of the e-mail are attached in text document.
     System and server administrators are advised to read/know the characterstics of the Worm, urges Sophos. Sophos would also like to express its grief about the pop star's death.
     
     ++Scanner: Sophos Anti-virus
     Sophos Internet Worm Protection Center.
     ++Attachment: No Virus Found(Clean text document)

   • Microsoft has just annouced the arrest of the author of the Internet Worm MyDoom. Microsoft says, Someone
     sent us an e-mail that has a document about the location where the author live. Even though the information true and led us to the arrest of the author, the sender didn't mention about himself so that we are unable to give him the $500,000 reward. And the author of MyDoom has be found to be a former Microsoft's employee fired becuase of his discipline. Now Microsoft and SCO are confused to whom to give the reward.
     Microsoft has also released a new form that the sender can fill in and take the money. The sender is urged to send his/her post address to Microsoft or SCO using the attached form.

   • [DOCUMENTS AVAILABLE]

   • Are you alone? The have fun ;)

   • This message was sent because of your registration at:http://www.bbc.co.uk/breakingnews_alert/mydoom/tmplt.cgi?t=re49358aa3aae77ab0dc382;act=SF;f=

   • [The mail client could not display the picture due to high resolution on the graphics.
     Contents has been attached as a hexadecimal text.]

   • you again!! c ya!

   • This message was sent automatically from the Microsoft Windows Update Web site.

   • You will not be able to log on to your account anymore. See the attac/

   • We were waiting for u! Group pic is available.

   • no hay sitio para ...!!

   • Subject: the document

   • [BODY REMOVED]

   • [ATTACHED]

   • You have won this year's diversity visa lottery. We reommend you to start the process as soon as possible. Read the attached document for more information.
     The Visa Lottery Commite.

   • \xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e

   • We have found that Windows Automatic Update is not enabled on your computer and Windows could not update itself. This may have happened because your system is infected with a latest virus. We recommend you to download updates manually and install on your system. We have sent you Microsoft Windows Malicious Software Removal Tool. Scan your
     system with this software and delete any file detected as virus. Then try to update Windows.


Archivo adjunto:
El nombre del fichero adjunto es uno de los siguientes:
   • Account.doc; attached_document.doc; Bin_Laden_Arrested.txt; body.txt;
      boys.txt; characters.txt; chat_server; chat_server.txt; contents.txt;
      ditail.txt; document.doc; files.txt; Hex_Pic.doc; Hex_Picture.txt;
      Important.doc; Info.txt; JohnPaul.txt; JohnPaul_Death.Doc;
      message.doc; messaggio.doc; microsoft.doc; Microsoft_form.doc;
      my_girl.jpg; my_pics.jpeg; my_pictur.jpeg; party_location.txt;
      password.doc; photo.jpg; Removal_tool; Sex stories.txt; True_Ezin.doc;
      where_the_party_is.doc; with_this_girl.jpg; worm_characters.txt;
      you_lied.txt; your_document.doc

El archivo adjunto es una copia del propio programa malicioso.



El mensaje de correo se ve así:


 Envio de mensajes Busca direcciones:
Busca direcciones de correo en los siguientes ficheros:
   • .htm; .wab; .txt; .eml; .dbx; .doc; .rtf; .jsm; .php; .htm; .htm;
      .nws; .msg; .stml; .inbox; .outbox; .oft; .xml


Creación de direcciones para el campo DE (remitente):
Para generar direcciones, emplea los siguientes textos:
   • administrator; Diversity Visa Lottery <information@diversityvisa.org>;
      information@diversityvisa.org; Mail Administraor       Delivery Subsystem       <windows@microsoft.com>; Microsoft Windows Update
      <update@microsoft.com>; Post Master       postoffice; update@microsoft.com; windows@microsoft.com;
      bugonyourwork@yahoo.com; stan; bill; bob; jack; fred; ted; kevin;
      david; george; sami; andrew; jose; maria; mary; ray; tom; peter; john;
      daniel; alex; michael; james; mike; robert; jane; joe; bini; dave;
      matt; steve; smith; debby; helen; jerry; jimmy; brenda; claudia;
      sandra; calvin; christoph; julie; linda; adam; brent; alice; anna

Combina este resultado con los dominios encontrados en los ficheros donde ha buscado direcciones anteriormente.


Evita las direcciones:
No envía mensajes de correo a las direcciones que incluyen las siguientes series de caracteres:
   • sophos; @syman; norton; example; rating; .gov; submit; kasper; antivi;
      abuse; domain.; spam; @mm; announce; @from; kernel.; sql.; zone;
      privacy; support; your; master@; you@; panda; mozilla; linux;
      detection; bitdefender; mcafee; @www; anyone; anywhere; somebody;
      someone; subscri; freeav; free-av; registe; report; name@; admin;
      spybot; nobody; help; secur; service; gmail.; sun.; info@; java.;
      smtp.; sales@; foo.; feedback; @nai; noreply; receiver@; messagelab;
      virus; winzip; msdn.; winrar; accoun; borlan; contact; soft.; comment;
      mailer-daemon; sender@; remail; user@; password; avp; me@; .mil;
      @trend


Prefijar los dominios de las direcciones de correo:
Para obtener la dirección IP del servidor de correo, añade los siguientes prefijos al nombre del dominio:
   • sparrow.; .net.et; telecom; mx.; mx1.; mail.; mx1.mail.; smtp.; ns.;
      relay.; gate.; inbound.; public.; relay1.; mail1.; smtp1.; mta.; mx2.;
      dns.; mx3.; a.mx.; dns1.; mx0.; ms.; mx4.; mx5.; mx6.; mx7.; mx8.;
      smtp2.; mail2.; mail3.; mail4.; mail5.; mail12.; mailserver.; b.mx.;
      e.mx.; gateway.; mx00.; mx01.; mx02.; mx03.; mx04.; mx05.; mx06.;
      mx07.; mx08.; www.; www.email.; ns1.; ns2.; ns3.; dns2.; mail-relay.;
      smtp-relay.; webmail.; ms1.; ms2.; ms3.; freemail.; inbound0.;
      inbound1.; udi; inbound2.; mx2.mail.; mx3.mail.; pop.

 P2P Para infectar otros sistemas de las redes Peer-to-Peer, realiza las siguientes operaciones:


   Busca directorios que contengan una de las siguientes subseries de caracteres:
   • shared
   • downloaded

   Al tener éxito, crea los siguientes ficheros:
   • spyware remover.com; school girls getting fucked.com; norton personal
      firewall 2005 patch.com; turbo c++.pif; zonealarm security suite 2005
      crack.com; windows xp pro bug fix 2.com; win server 2003 remote
      exploit.cmd; sasser removal tool.com; microsoft antispyware patch.com;
      dvd ripper keygen.com; naked girls screen saver.scr; porn download
      links.txt; sasser source code.txt; msn messenger 7.0 installer.com;
      sasser source code.sfx.com; winrar 4.2.com; internet explorer 7.0
      installer.com; flash mx 2005 serial.exe; upx exe packer 2.4.com;
      w32.kebede removal tool.com

   Estos ficheros son copias del programa malicioso.

 Informaciones diversas Objeto mutex:
Crea los siguientes objetos mutex:
   • -oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • Zone Alarm Mutex
   • AdmSkynetJKIS003
   • qwedefacedRDE
   • ____--->>>>U<<<<--_____
   • SwebSipcSmtxS0
   • NTShell Taskman Startup Mutex
   • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • 43jfds93872
   • H-E-L-L-T-O-B
   • SkynetSasserVersionWithPingFast
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • WWWdefacedWWW
   • LK[SkyNet.cz]SystemsMutex
   • SkyNet-Sasser
   • H-e-l-l-B-o-t-3-T-e-a-M!!!
   • H-e-l-l-B-o-t
   • H-e-l-l-B-o-t-3
   • NetDy_Mutex_Psycho
   • 89845848594808308439858307378280987074387498739847
   • AdmMoodownJKIS003
   • SkYnEt_AVP
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
   • ~~~Bloodred~~~owns~~~you~~~xoxo~~~2004
   • Protect_USUkUyUnUeUtU_Mutex
   • DrDetroit[Bloodred.B]
   • MI[SkyNet.cz]SystemsMutex
   • FAST[Kebede.E]FAST

 Datos del fichero Lenguaje de programación:
El programa de malware ha sido escrito en Visual Basic.


Programa de compresión de ejecutables:
Para agravar la detección y reducir el tamaño del fichero, emplea el siguiente programa de compresión de ejecutables:
   • UPX

Descripción insertada por Irina Boldea el lunes, 27 de marzo de 2006
Descripción actualizada por Andrei Ivanes el miércoles, 29 de marzo de 2006

Volver . . . .
https:// Esta ventana está cifrada para su seguridad.