W32/Kedebe-A

Aliases	WORM_KEDEBE.A
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments
Affected operating systems	Windows
Protection available since	3 May 2005 08:25:38 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

You will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Console Monitor = gcasAV32.exe

and delete it if it exists.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Kedebe-A is a mass-mailing worm for the Windows platform. It sends email using its own SMTP engine. It kills anti-virus programs and encrypts certain types of files.

W32/Kedebe-A blocks accessing certain anti-virus related URLs. The worm creates mutex to block W32/Bagle, W32/Mytob and W32/Netsky to run on the affected system.

Email sent by W32/Kedebe-A has the following characteristics:

Subject line:

(one of the following)
-Mail server upgrading
-Attention!
-Don't send this to me again!

Sender address:

(one of the following)
Secqrity Team
Internet Explorer Team iexplorer@microsoft.com
The Jackson Brothers

Recipient name:

daniel_kqql
helen
helen_2002

Recipient domain name:

(one of following)
@gmail.com
@hotmail.com
@msn.com
@yahoo.com

Message text:

Hey, why did you send this to me? I'm not going to talk to you again. You know I don't like such kinda pics. I have painted a reply on it. I have also covered the nasty parts with dark color. Anyway check it out it is all in the attachment. Please don't send this kind of pictures to me.

Hi, how are you? I'm fine. Why didn't you reply to me? I'm still waiting...by the way I have sent you my recent picture with the close that like most on. Please reply to me, I'm still waiting for you. I will send you another picture next time you reply, OK.

Attached file:

(one of following)
Norton AntiVirus 2006 Crack.exe
Naked teen-Actions.com
ZoneAlarm Security Suite 2005 Crack.com
Win Server 2003 Remote Exploit.cmd
Microsoft AntiSpyware Crack.com
DVD to MP3 converter.exe
Admini Password Cracker.exe

The worm terminates the following anti-virus processes:

agentsvr.exe
antivirus.exe
asfagent.exe
atwatch.exe
avserve2.exe
ccapp.exe
ccevtmgr.exe
ccsetmgr.exe
clean.exe
dap.exe
escanh95.exe
exantivirus-cnet.exe
flowprotector.exe
fp-win_trail.exe
fsav530stbyb.exe
giantantispywaremain.exe
giantantispywareupdater.exe
gcasdtserv.exe
gcasservalert.exe
hacktracersetup.exe
isafe.exe
killprocessetup161.exe
llssev.exe
luall.exe
lucomserver.exe
lucoms~1.exe
lxer32.vav
mantispm.exe
mcupdate.exe
mssmmc32.exe
navapsvc.exe
netmon.exe
netspyhunter-1.2.exe
nmain.exe
norton_internet_secu_3.0_407.exe
npfmntor.exe
nprotext.exe
nupgrade.exe
opscan.exe
ostronet.exe
penis32.exe
procexplorerv1.0.exe
proport.exe
rescue.exe
rtvscan.exe
sheelspyinstall.exe
sndsrvc.exe
spbbcsvc.exe
spyxx.exe
symproxysvc.exe
taskmgr.exe
trjscan.exe
trojantrap3.exe
vsmon.exe
watchdog.exe
webscanz.exe
whoswatchingme.exe
zlclient.exe
zonalm2601.exe
zonealarm.exe

The worm deletes anti-virus related files:

Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
Microsoft AntiSpyware\GIANTAntiSpywareUpdater.exe
Norton AntiVirus\OPSCAN.exe
Zone Labs\ZoneAlarm\alert.zap
Zone Labs\ZoneAlarm\email.zip
Zone Labs\ZoneAlarm\filter.zap
Zone Labs\ZoneAlarm\firewall.zap
Zone Labs\ZoneAlarm\mailFrontier\mantispm.exe
Zone Labs\ZoneAlarm\mailFrontier\AddinMon.exe
Zone Labs\ZoneAlarm\zlclient.exe
Zone Labs\Zone Labs\ZoneAlarm\programs.zap

The worm encryptes source codes with following file extensions.

*.htm
*.wab
*.html
*.eml
*.txt
*.doc
*.dhtm
*.xhhm

The worm copies itself with random name to Windows folder.

The worm adds the following registry entry so that it is run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Windows Console Monitor = gcasAV32.exe

The worm creates the speedbit subkey.

HKCU\Software\SpeedBit
HKLM\Software\SpeedBit

The worm tries to download URL and run URL files, but the URL file does not exist now. It tries to send emails with its own SMTP server.

If the victim has no connection to internet, the worm drops a copy of itself to the shared folder with attachment file name in above. The worm copies itself to the system folder as 'kernel32hlp.exe', it disables the Outlook create mail function and address book.

The worm creates mutex to prevent other worms from launching, such as W32/Beagle, W32/Mytob and W32/NetSky.

_-B_-I_-N_-I_-D_-O_-G_-G_-T_-H_-E_-K_-I_-N_-G_-
--->>>>BaDoom<<<<';; ;;;D__MUUUTEX
--->I|t's a g|o|o|d t|h|i|n|g t|o j|o|i|n t|h|e *|*|*|*|* s|o|c|i|e|t|y!<---
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
'D'r'o'p'p'e'd'S'k'y'N'e't'
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003
H-E-L-L-B-O-T
oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
____--->>>>U<<<<--_____

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Kedebe-A

Summary

Action

More Information