high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | September 2005 (3.97) |
| Protection available since | 15 July 2005 08:02:31 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Change any data that may have become compromised.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
and remove any reference to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Kalel-D is a worm and backdoor Trojan for the Windows platform that targets peer-to-peer file sharing utilities.
W32/Kalel-D may arrive in an email with the following characteristics:
Subject line:
Subject: **NOTICE** Mailbox Limitation
Message text:
This message was created automatically by "Mail Guard" software (MSG) - do not reply.
In order to safeguard your mailbox from unexpected termination,
follow the instructions in the attached document.
++ Attachment: No Virus found
++ Norton AntiVirusÖ http://www.symantec.com
Attachment:
mailbox_rules.zip
that contains a copy of the worm executable with the one of the following filenames:
readme.pif
readme.scr
readme.txt(many spaces).scr
where (many spaces) is a number of the space characters between first and second file extensions. W32/Kalel-D is a worm and backdoor Trojan for the Windows platform that targets peer-to-peer file sharing utilities.
W32/Kalel-D may arrive in an email with the following characteristics:
Subject line:
Subject: **NOTICE** Mailbox Limitation
Message text:
This message was created automatically by "Mail Guard" software (MSG) - do not reply.
In order to safeguard your mailbox from unexpected termination,
follow the instructions in the attached document.
++ Attachment: No Virus found
++ Norton AntiVirusÖ http://www.symantec.com
Attachment:
mailbox_rules.zip
that contains a copy of the worm executable with the one of the following filenames:
readme.pif
readme.scr
readme.txt(many spaces).scr
where (many spaces) is a number of the space characters between first and second file extensions.
W32/Kalel-D runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
Once executed W32/Kalel-D displays the "Fatal Error: Exception Code=C00000004" fake error message and copies itself to the Windows system folder with the following filenames:
csrss.exe
lsass.exe
services.exe
In order to be able to run automatically when Windows starts up the worm sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Microsoft Service Controller
"services.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Authority Service
"lsass.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft Session Manager Subsystem
"smss.exe"
W32/Kalel-D may create a number of files in the Windows system folder including the following:
bluetooth16.ref
bluetooth32.ref
irdav1.ref
where bluetooth16.ref bluetooth32.ref and irdav1.ref are uuencoded text files that contain mailbox_rules.zip file.
W32/Kalel-D capable of logging keys.
|
