W32/Kalel-E

Please follow the instructions for removing worms.

W32/Kalel-E is a worm for the Windows platform that attempts to spread by email and peer-to-peer applications.

W32/Kalel-E includes functionality to access the internet and communicate with a remote server via HTTP.

W32/Kalel-E displays the fake error message "Setup Initialization Error: Current platform is not supported".

W32/Kalel-E carries out searches on google.com and yahoo.com in order to harvest email addresses.

The worm may sends itself as an attachment of emails with the following characteristics.

Subject line:
**WARNING** Your e-mail was blocked

Message text:
Dear Customer,
I regret to inform you that your e-mail has been blocked due
to the violation of our site policy. Further details are attached.
++ Attachment: No Virus found
++ AntiVirus Service offered by F-Secure

W32/Kalel-E copies itself to shared folders used by peer-to-peer applications. W32/Kalel-E is a worm for the Windows platform that attempts to spread by email and peer-to-peer applications.

W32/Kalel-E includes functionality to access the internet and communicate with a remote server via HTTP.

W32/Kalel-E displays the fake error message "Setup Initialization Error: Current platform is not supported".

W32/Kalel-E carries out searches on google.com and yahoo.com in order to harvest email addresses.

The worm may sends itself as an attachment of emails with the following characteristics.

Subject line:
**WARNING** Your e-mail was blocked

Message text:
Dear Customer,
I regret to inform you that your e-mail has been blocked due
to the violation of our site policy. Further details are attached.
++ Attachment: No Virus found
++ AntiVirus Service offered by F-Secure

When first run W32/Kalel-E copies itself to:

<System>\lsass.exe
<System>\services.exe
<System>\smss.exe

and creates the following files:

<System>\msspool16.dll
<System>\mouse_drv32.ovx
<System>\msspool16.ref
<System>\msspool32.ref
<System>\msspool64.ref
<System>\msspooltmp16.zip
<System>\msspooltmp32.zip
<System>\msspooltmp64.zip

The ZIP files contain copies of the worm. The REF files are encoded copies of the ZIP files. All of these ZIP and REF files are detected as W32/Kalel-E.

The worm may copy itself to any of the following locations:

C:\My Downloads\
C:\My Shared Folder\
C:\program files\Ares\My Shared Folder\
C:\program files\BearShare\Shared\
C:\program files\direct connect\received files\
C:\program files\eDonkey2000\incoming\
C:\program files\eMule\Incoming\
C:\program files\gnucleus\downloads\
C:\program files\gnucleus\downloads\incoming\
C:\program files\grokster\my grokster\
C:\program files\grokster\my shared folder\
C:\program files\icq\shared files\
C:\program files\KaZaa Lite\My Shared Folder\
C:\program files\KaZaa\My Shared Folder\
C:\program files\KMD\my shared folder\
C:\program files\limeWire\shared\
C:\program files\Morpheus\my shared folder\
C:\program files\rapigator\share\
C:\program files\shareaza\downloads\
C:\program files\StreamCast\Morpheus\my shared folder\
C:\programmi\Ares\My Shared Folder\
C:\programmi\BearShare\Shared\
C:\programmi\direct connect\received files\
C:\programmi\eDonkey2000\incoming\
C:\programmi\eMule\Incoming\
C:\programmi\gnucleus\downloads\
C:\programmi\gnucleus\downloads\incoming\
C:\programmi\grokster\my grokster\
C:\programmi\grokster\my shared folder\
C:\programmi\icq\shared files\
C:\programmi\KaZaa Lite\My Shared Folder\
C:\programmi\KaZaa\My Shared Folder\
C:\programmi\KMD\my shared folder\
C:\programmi\limeWire\shared\
C:\programmi\Morpheus\my shared folder\
C:\programmi\rapigator\share\
C:\programmi\shareaza\downloads\
C:\Programmi\StreamCast\Morpheus\my shared folder\
C:\shared\

The following registry entries are created to run lsass.exe, services.exe and smss.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Service Controller
<System>\services.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Authority Service
<System>\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
System Session Manager
<System>\smss.exe