VírusWorm/Kebede.G.1
Data em que surgiu:02/08/2005
Tipo:Worm
Incluído na lista "In The Wild"Não
Nível de danos:Baixo
Nível de distribuição:De médio a elevado
Nível de risco:De médio a elevado
Ficheiro estático:Sim
Tamanho:70.702 Bytes
MD5 checksum:fa47e6d0af762aaada1c32bd27a8306e
Versão VDF:6.31.01.46

 Vulgarmente Meios de transmissão:
   • E-mail
   • Peer to Peer


Alias:
   •  Kaspersky: Email-Worm.Win32.Kebede.g
   •  TrendMicro: WORM_KEDEBE.E
   •  Sophos: W32/Kedebe-E
   •  Eset: Win32/VB.AJ
   •  Bitdefender: Win32.Kebede.H@mm


Sistemas Operativos:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efeitos secundários:
   • Descarrega um ficheiro malicioso
   • Utiliza o seu próprio motor de E-mail
   • Baixa as definições de segurança
   • Altera o registo do Windows


Depois de executado é visualizada a seguinte informação:


 Ficheiros Autocopia-se para a seguinte localização:
   • %SYSDIR%%aplicação Windows aleatória%



Muda o nome dos seguintes ficheiros:

    •  %WINDIR%\lsass.exe Para: %WINDIR%\lsasskeb.ede
    •  %WINDIR%\svchost.exe Para: %WINDIR%\svchostkeb.ede
    •  %WINDIR%\Services.exe Para: %WINDIR%\Serviceskeb.ede
    •  %SYSDIR%\Explorer.exe Para: %SYSDIR%\Explorerkeb.ede



Elimina os seguintes ficheiros:
   • %PROGRAM FILES%\Norton AntiVirus\IWP\NPFMNTOR.EXE
   • %PROGRAM FILES%\Norton AntiVirus\IWP\IWP.DLL
   • %PROGRAM FILES%\Norton AntiVirus\IWP\SymFwAgt.DLL
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\MailFrontier\AddinMon.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\zlclient.exe
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\email.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\firewall.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\alert.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\filter.zap
   • %PROGRAM FILES%\Zone Labs\ZoneAlarm\programs.zap
   • %PROGRAM FILES%\Symantec\SYMEVENT.SYS
   • %PROGRAM FILES%\Norton AntiVirus\OPSCAN.EXE
   • %PROGRAM FILES%\microsoft antispyware\gcasservalert.exe
   • %PROGRAM FILES%\microsoft antispyware\giantantispywareupdater.exe
   • %PROGRAM FILES%\microsoft antispyware\gcasnotice.exe



É criado o seguinte ficheiro:

%SYSDIR%%três caracteres aleatórios%log.exe Além disso executa-se depois de gerado. Outras investigações apontam para que este ficheiro, também, seja malware. Detectado como: TR/Kebede.F

 Registry (Registo do Windows) É adicionado o seguinte valor ao registo do Windows de forma a que o processo seja executado depois do computador ser reiniciado:

– HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • "Anti-Virus Product Sync(%SYSDIR%\ %três caracteres aleatórios%log.exe)"="%SYSDIR%\ %três caracteres aleatórios%log.exe"



São adicionadas as seguintes chaves ao registo:

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "Run"="%SYSDIR%\ %aplicação Windows aleatória%"

– HKLM\Software\Microsoft\MediaPlayer\Player
   • "Player Already Configured"="True"

 E-mail Tem um motor SMTP integrado para enviar emails.É criada uma ligação directa com o servidor de destino. Tem as seguintes características:


De:
O endereço do remetente é falsificado.
Endereços gerados. Não assuma que é intenção do remetente enviar este email para si. Ele pode não saber que tem o sistema infectado, pode mesmo não estar infectado. Além disso é provável que receba emails que digam que está infectado. Pode não ser o caso.


Para:
– Endereços de email encontrados em determinados ficheiros no sistema.
– Endereços de e-mail recolhidos do WAB (Windows Address Book).


Assunto:
Um dos seguintes:
   • let's chat here...; I'm going to somewhere; Re: hi; **IMPORTANT** You
      Won Diversity Visa Lottery!; [Subject Hidden]; PaRtY tonight??!; ANTI;
      **URGENT** Microsoft Windows Automatic Update disabled.; Fw: Fw: Osama
      bin Laden has been arrested!; **WARNING** Your Internet Information;
      **WARNING** Your Internet account has been suspended.; Password; WE
      NEED TO TALK.; ANTS; **WARNING** A Worm on Michael Jackson's Death.;
      Fw: Fw: The SECRET behind John Paul's death; John Paul's death and the
      doctors...; **Breaking News** Author of MyDoom has been ARRESTED!; FOR
      GIRLS ONLY!!, Boys; Make sure u are alone; J Lo with no closes ON!!;
      Re: It seems a good day!!; FOR THE LAST TIME!!; Your chat room friend;
      RE: the document; **WARNING** Account Currently Disabled.; Welcome
      back!!; **ALERT**; Partnership; Your request; ALERT; [New message
      available]; Re: r u there; Microsoft Introducing Windows Long Horn



Corpo:
O corpo do email é um dos seguintes:

   • Attached is a confidential information about the Webs you browsed. The list was logged since 2004.

   • Big day huh! What a great surprise! I've just read on Arab site that Osama bin Laden has been arested by the US soldiers. It's lot to talk here. I just copied the whole text in Notepad and attached it. Nice news huh?!

   • Your IP was logged because you accessed porn related sites. Attached is list of sites you visited and information about your Internet account.

   • I'm back with the password. Hit me back

   • Call me when you finish reading the document

   • I don't know how to say it, but it is really annoying thing that happened on John Paul the 2nd. He was killed by two 'doctors' who were hired by some security firms. The text attached contains all the story behind his death.Please, try to forward this document to all your relatives and reveal the truth.

   • Hey we need to talk. Read the attachment and hit me back

   • This is for the last time. Answer me.

   • i have found a new chat rooms, see you there.

   • someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.

   • Microsoft is proud to announce the latest version of Windows-Long Horn. What make this version specialis that it is the only Microsoft's product with component's source code available to 3rd party. Full documentation is attached document. We have also included Windows Media Player 10's source code.
     Microsoft Corporation (c) 1993 - 2006

   • > Please send me that document, thanx
     I have attached it :)

   • hey it's me from the chat room, remember? anyway I've sent u my pic. let me know wussup.

   • I'm on vacation, what about you? Check out my girl, N-A-K-E-D!!

   • HeEeLLLoOoOoO! Party tonight???!!! Let me KnOw what's up.

   • A new Worm is spreading by using Michael Jackson's death. After the death of the famous pop star, Michael Jackson, during the acciedent yesterday, new computer Worms appeared to use the news as a subject, said Graham Cluley, senior technology consultant.
     To unregister, just go to http://www.bbc.co.uk/ at Sophos.This Worm has 10 different subjects which made it spread widely. All the characterstics of the e-mail are attached in text document.
     System and server administrators are advised to read/know the characterstics of the Worm, urges Sophos. Sophos would also like to express its grief about the pop star's death.
     
     ++Scanner: Sophos Anti-virus
     Sophos Internet Worm Protection Center.
     ++Attachment: No Virus Found(Clean text document)

   • Microsoft has just annouced the arrest of the author of the Internet Worm MyDoom. Microsoft says, Someone
     sent us an e-mail that has a document about the location where the author live. Even though the information true and led us to the arrest of the author, the sender didn't mention about himself so that we are unable to give him the $500,000 reward. And the author of MyDoom has be found to be a former Microsoft's employee fired becuase of his discipline. Now Microsoft and SCO are confused to whom to give the reward.
     Microsoft has also released a new form that the sender can fill in and take the money. The sender is urged to send his/her post address to Microsoft or SCO using the attached form.

   • [DOCUMENTS AVAILABLE]

   • Are you alone? The have fun ;)

   • This message was sent because of your registration at:http://www.bbc.co.uk/breakingnews_alert/mydoom/tmplt.cgi?t=re49358aa3aae77ab0dc382;act=SF;f=

   • [The mail client could not display the picture due to high resolution on the graphics.
     Contents has been attached as a hexadecimal text.]

   • you again!! c ya!

   • This message was sent automatically from the Microsoft Windows Update Web site.

   • You will not be able to log on to your account anymore. See the attac/

   • We were waiting for u! Group pic is available.

   • no hay sitio para ...!!

   • Subject: the document

   • [BODY REMOVED]

   • [ATTACHED]

   • You have won this year's diversity visa lottery. We reommend you to start the process as soon as possible. Read the attached document for more information.
     The Visa Lottery Commite.

   • \xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e

   • We have found that Windows Automatic Update is not enabled on your computer and Windows could not update itself. This may have happened because your system is infected with a latest virus. We recommend you to download updates manually and install on your system. We have sent you Microsoft Windows Malicious Software Removal Tool. Scan your
     system with this software and delete any file detected as virus. Then try to update Windows.


Atalho:
O ficheiro de atalho tem um dos seguintes nomes:
   • Account.doc; attached_document.doc; Bin_Laden_Arrested.txt; body.txt;
      boys.txt; characters.txt; chat_server; chat_server.txt; contents.txt;
      ditail.txt; document.doc; files.txt; Hex_Pic.doc; Hex_Picture.txt;
      Important.doc; Info.txt; JohnPaul.txt; JohnPaul_Death.Doc;
      message.doc; messaggio.doc; microsoft.doc; Microsoft_form.doc;
      my_girl.jpg; my_pics.jpeg; my_pictur.jpeg; party_location.txt;
      password.doc; photo.jpg; Removal_tool; Sex stories.txt; True_Ezin.doc;
      where_the_party_is.doc; with_this_girl.jpg; worm_characters.txt;
      you_lied.txt; your_document.doc

O ficheiro de atalho é uma cópia do malware.



O email pode ser parecido com o seguinte:


 Mailing Pesquisa endereços:
Procura endereços de email nos seguintes ficheiros:
   • .htm; .wab; .txt; .eml; .dbx; .doc; .rtf; .jsm; .php; .htm; .htm;
      .nws; .msg; .stml; .inbox; .outbox; .oft; .xml


Endereços gerados para o campo DE:
Utiliza o seguinte texto para gerar endereços:
   • administrator; Diversity Visa Lottery <information@diversityvisa.org>;
      information@diversityvisa.org; Mail Administraor       Delivery Subsystem       <windows@microsoft.com>; Microsoft Windows Update
      <update@microsoft.com>; Post Master       postoffice; update@microsoft.com; windows@microsoft.com;
      bugonyourwork@yahoo.com; stan; bill; bob; jack; fred; ted; kevin;
      david; george; sami; andrew; jose; maria; mary; ray; tom; peter; john;
      daniel; alex; michael; james; mike; robert; jane; joe; bini; dave;
      matt; steve; smith; debby; helen; jerry; jimmy; brenda; claudia;
      sandra; calvin; christoph; julie; linda; adam; brent; alice; anna

Combina o resultado com domínios encontrados em ficheiros, previamente pesquisados por endereços.


Endereços evitados:
Não envia emails para endereços com os seguintes blocos de texto:
   • sophos; @syman; norton; example; rating; .gov; submit; kasper; antivi;
      abuse; domain.; spam; @mm; announce; @from; kernel.; sql.; zone;
      privacy; support; your; master@; you@; panda; mozilla; linux;
      detection; bitdefender; mcafee; @www; anyone; anywhere; somebody;
      someone; subscri; freeav; free-av; registe; report; name@; admin;
      spybot; nobody; help; secur; service; gmail.; sun.; info@; java.;
      smtp.; sales@; foo.; feedback; @nai; noreply; receiver@; messagelab;
      virus; winzip; msdn.; winrar; accoun; borlan; contact; soft.; comment;
      mailer-daemon; sender@; remail; user@; password; avp; me@; .mil;
      @trend


Adicinado texto MX ao início:
De forma a obter o endereço IP do servidor de email tem capacidade de adicionar (ao início) do nome de domínio os seguintes textos:
   • sparrow.; .net.et; telecom; mx.; mx1.; mail.; mx1.mail.; smtp.; ns.;
      relay.; gate.; inbound.; public.; relay1.; mail1.; smtp1.; mta.; mx2.;
      dns.; mx3.; a.mx.; dns1.; mx0.; ms.; mx4.; mx5.; mx6.; mx7.; mx8.;
      smtp2.; mail2.; mail3.; mail4.; mail5.; mail12.; mailserver.; b.mx.;
      e.mx.; gateway.; mx00.; mx01.; mx02.; mx03.; mx04.; mx05.; mx06.;
      mx07.; mx08.; www.; www.email.; ns1.; ns2.; ns3.; dns2.; mail-relay.;
      smtp-relay.; webmail.; ms1.; ms2.; ms3.; freemail.; inbound0.;
      inbound1.; udi; inbound2.; mx2.mail.; mx3.mail.; pop.

 P2P De modo a infectar sistemas na comunidade P2P executa a seguinte acção:


   Procura directórios com os seguintes textos:
   • shared
   • downloaded

   Em caso de ser bem sucedido, são criados os seguintes ficheiros:
   • spyware remover.com; school girls getting fucked.com; norton personal
      firewall 2005 patch.com; turbo c++.pif; zonealarm security suite 2005
      crack.com; windows xp pro bug fix 2.com; win server 2003 remote
      exploit.cmd; sasser removal tool.com; microsoft antispyware patch.com;
      dvd ripper keygen.com; naked girls screen saver.scr; porn download
      links.txt; sasser source code.txt; msn messenger 7.0 installer.com;
      sasser source code.sfx.com; winrar 4.2.com; internet explorer 7.0
      installer.com; flash mx 2005 serial.exe; upx exe packer 2.4.com;
      w32.kebede removal tool.com

   Os ficheiros são cópias do próprio malware.

 Informações diversas Mutex:
Cria os seguintes Mutexes:
   • -oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
   • [SkyNet.cz]SystemsMutex
   • AdmSkynetJklS003
   • Zone Alarm Mutex
   • AdmSkynetJKIS003
   • qwedefacedRDE
   • ____--->>>>U<<<<--_____
   • SwebSipcSmtxS0
   • NTShell Taskman Startup Mutex
   • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • 43jfds93872
   • H-E-L-L-T-O-B
   • SkynetSasserVersionWithPingFast
   • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
   • WWWdefacedWWW
   • LK[SkyNet.cz]SystemsMutex
   • SkyNet-Sasser
   • H-e-l-l-B-o-t-3-T-e-a-M!!!
   • H-e-l-l-B-o-t
   • H-e-l-l-B-o-t-3
   • NetDy_Mutex_Psycho
   • 89845848594808308439858307378280987074387498739847
   • AdmMoodownJKIS003
   • SkYnEt_AVP
   • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
   • ~~~Bloodred~~~owns~~~you~~~xoxo~~~2004
   • Protect_USUkUyUnUeUtU_Mutex
   • DrDetroit[Bloodred.B]
   • MI[SkyNet.cz]SystemsMutex
   • FAST[Kebede.E]FAST

 Detalhes do ficheiro Linguagem de programação:
 O programa de malware está escrito em Visual Basic.


Empacotador de Runtime:
De forma a agravar a detecção e reduzir o tamanho do ficheiro é lançado com o seguinte empacotador de runtime:
   • UPX

Descrição enviada por Irina Boldea em segunda-feira, 27 de março de 2006
Descrição atualizada por Andrei Ivanes em quarta-feira, 29 de março de 2006

Voltar . . . .