W32/Kedebe-B

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*Windows <executable name> Checker
"<Windows system folder>\<executable name>"

and delete it if it exists.

Close the registry editor.

W32/Kedebe-B is a worm for the Windows platform.

W32/Kedebe-B will harvest email addresses from the infected computer and send itself to the harvested addresses.

The emails sent will have the following properties:

Subject will be one of the following

**ALERT**
**BREAKING NEWS** Author of MyDoom has been ARRESTED!
**IMPORTANT** You Won Diversity Visa Lottery!
**URGENT** Microsoft Windows Automatic Update disabled.
**WARNING** A Worm on Michael Jackson's Death.
**WARNING** Account Currently Disabled.
**WARNING** Your Internet account has been suspended.
**WARNING** Your Internet Information
[New message available]
[Subject Hidden]
FOR GIRLS ONLY!!, Boys
FOR THE LAST TIME!!
Fw: Fw: Osama bin Laden has been arrested!
Fw: Fw: The "SECRET" behind John Paul's death
I'm going to somewhere
J Lo with no closes ON!!
John Paul's death and the doctors...
let's chat here...
Make sure u are alone
Microsoft Introducing Windows Long Horn
Partnership
PaRtY tonight??!
Password
Re: hi
Re: It seems a good day!!
Re: r u there
RE: the document
WE NEED TO TALK.
Welcome back!!
Your chat room friend
Your request

Message text will be one of the following:

This message was sent automatically from the Microsoft Windows Update Web site.
Microsoft Corporation (c) 2001-2005. All rights reserved.
I have attached it :)
-----Original Message-----
From:
Sent: [2 days ago]
> Please send me that document, thanx
[BODY REMOVED]
[ATTACHED]
[NEW DOCUMENT ATTACHED]
[DOCUMENTS AVAILABLE]
Call me when you finish reading the document

We have found that Windows Automatic Update is not enabled on your computer and Windows could not update itself. This may have happened because your system is infected with a latest virus. We recommend you to download updates manually and install on your system. We have sent you Microsoft Windows Malicious Software Removal Tool. Scan your system with this software and delete any file detected as virus. Then try to update Windows.

Sorry about the Pope's new. I didn't mean it from my heart.

You have won this year's diversity visa lottery. We reommend you to start the process as soon as possible. Read the attached document for more information. The Visa Lottery Commite.

We were waiting for u! Group pic is available.

You will not be able to log on to your account anymore. See the attac/

you again!! c ya!

Contents has been attached as a hexadecimal text.]

Microsoft has just annouced the arrest of the author of the Internet Worm "MyDoom". Microsoft says, "Someone sent us an e-mail that has a document about the location where the author live. Even though the information is true and led us to the arrest of the author, the sender didn't mention about himself so that we are unable to give him the $500,000 reward. And the author of MyDoom has be found to be a former Microsoft's employee fired becuase of his discipline." Now Microsoft and SCO are confused to whom to give the reward. Microsoft has also released a new form that the sender can fill in and take the money. The sender is urged to send his/her post address to Microsoft or SCO using the attached form.

A new Worm is spreading by using Michael Jackson's death. "After the death of the famous pop star, Michael Jackson, during the acciedent yesterday, new computer Worms appeared to use the news as a subject," said Graham Cluley, senior technology consultant at Sophos during the interview today. This Worm has 10 different subjects which made it spread widely.
All characterstics of the e-mail which the Worm sends out are attached in text document.
++Attachment: No Virus Found(Clean text document)
"System and network administrators are advised to read and know the characterstics of the Worm," urges Sophos. Sophos would also like to express its grief about the pop star's death.
Sophos Internet Worm Protection Center.

Microsoft is proud to announce the latest version of Windows-Long Horn. What make this version of Windows special is that it is the only Microsoft's product with component's source code available to its customers. Full documentation is in the attached document. We have also included Windows Media Player 10's partial source code.
Microsoft Corporation (c) 1993 - 2006

I don't know how to say it, but it is really annoying thing that happened to John Paul the 2nd. He was killed by two 'doctors' who were hired by some security firms. The text attached contains all the story behind his death.
Please, try to forward this document to all your relatives and reveal the truth.
someone sent me this document which is stolen from a secret government body and deals about John Paul's death.

It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.

Hey we need to talk. Read the truth and hit me back

Your IP was logged by different sites which are porn related. Attached is a list of sites you visited and information about your Internet account. We warn you not to visit these sites again.
User's Online Experiance Control Team.

Big day huh! What a great surprise! I've just read on Arab site that Osama bin Laden has been arested by the US soldiers. It's a lot to talk here. I've just copied the whole news in Notepad and attached it. Nice news huh?!

The attachment will have one of the following as a basename and .cab appended. The CAB file will also contain an executable with the same basename and several spaces followed by .exe appended.

attached_document.doc
Bin_Laden_Arrested
characters.txt
chat_server.txt
content
contents.txt
details
ditail.txt
document.doc
documents
files.txt
group_photo
Hex_Picture.txt
Important.doc
Info.txt
JohnPaul.txt
JohnPaul_Death.Doc
messaggio.doc
microsoft.doc
Microsoft_form
my_girl.jpg
my_pictur.jpeg
party_location.txt
photo.jpg
read_carefully
Removal_tool
Removal_Tool
worm_characters.txt
you_lied
your_document.doc

W32/Kedebe-B may send the emails appearing as they come from email addresses harvested or they may appear to come from one of the following predefined addresses:

Administrator
Internet Security <security@sophos.com>
security@sophos.com
News Alert <newsalert@bbc.co.uk>
newsalert@bbc.co.uk
Diversity Visa Lottery <information@diversityvisa.org>
information@diversityvisa.org
Microsoft Windows Update <update@microsoft.com>
update@microsoft.com
Mail Administrator
Post Master
Mail Delivery Subsystem
Microsoft Windows <windows@microsoft.com>
windows@microsoft.com

W32/Kedebe-B will remove all registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

W32/Kedebe-B will copy itself to the Windows system folder as a randomly selected name and create or modify the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
*Windows <executable name> Checker
"<Windows system folder>\<executable name>"

HKCU\Software\Microsoft\Windows NT\CurrentVersion
Run
"<Windows system folder>\<executable name>"

W32/Kedebe-B will rename or delete several files. The following actions will be performed:

AddinMon.exe will be deleted
alert.zap will be deleted
email.zap will be deleted
Explorer.exe renamed to Explorerkeb.ede
filter.zap will be deleted
firewall.zap will be deleted
lsass.exe renamed to lsasskeb.ede
programs.zap will be deleted
Regedit.exe will be deleted
services.exe renamed to Serviceskeb.ede
shell.exe will be deleted
shimgapi.dll renamed to KilledKeb.ede
smsrss.exe will be deleted
svchost.exe renamed to svchostkeb.ede
taskmon.exe will be deleted

W32/Kedebe-B will copy itself to folders containing the words 'shared' or 'download'.

W32/Kedebe-B will terminate many security related processes and append the following to the HOSTS file in order to keep the infected user from accessing security related URLs:

127.0.0.1 avp.com
127.0.0.1 cm2.zonelabs.com
127.0.0.1 configmtd.mailfrontier.net
127.0.0.1 definitions.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.zonelabs.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mcafee.com
127.0.0.1 microsoft.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 pa2.zonelabs.com
127.0.0.1 ps2.zonelabs.com
127.0.0.1 rads.mcafee.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 sophos.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.zonelabs.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 viruslist.com
127.0.0.1 windowsupdate.com
127.0.0.1 www.avp.com
127.0.0.1 www.download.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.mcafee.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.windowsupdate.com
127.0.0.1 www.zonelabs.com