W32/Kalel-A

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	22 May 2005 16:14:07 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Kalel-A is a worm and backdoor Trojan for the Windows platform that targets peer-to-peer file sharing utilities.

W32/Kalel-A may arrive in email with the following characteristics:

Subject line:

Mail delivery failed: returning message to sender...

Message text:

This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of
its recipients. For more details read the attached document.

Attachment:

errors_details.zip

that contains a copy of the worm executable with the one of the following filenames:

details.pif
details.scr
details.txt <100 spaces> .scr

W32/Kalel-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

Once executed W32/Kalel-A displays the "Unable to Locate DLL (MSXVGA40.DLL)" fake error message and copies itself to the Windows system folder with the following filenames:

csrss.exe
lsass.exe
services.exe

W32/Kalel-A also creates a password.zip file in the \Inetpub\wwwroot folder that contains a zipped copy of the worm executable with the filename password.pif , and modifies index script files from the same location.

In order to be able to run automatically when Windows starts up the worm sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Service
"services.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Security Authority Service
"lsass.exe"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Windows CSRSS
"csrss.exe"

W32/Kalel-A may create a number of files in the Windows system folder including the following:

frundll32.ocx
lrundll16.dat
Kalel
Kalel.gif
nrundll.gy
irpa_driver.dat
mrundll.uu3
rundll.uu2
rundll64.uu
lmousedrv.dll
kmousedrv.dll

where mrundll.uu3, rundll.uu2 and rundll64.uu are uuencoded text files that contain error_details.zip file.

W32/Kalel-A establishes a TCP connection by opening port 51435 awaiting to be connected by the intruder.

W32/Kalel-A capable of logging keys.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Kalel-A

Summary

Action

More Information