W32/Kedebe-F

Please follow the instructions for removing worms.

Replace the Hosts file from a backup or edit it in Notepad to remove the changes that the worm has made.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

W32/Kedebe-F is a mass-mailing worm for the Windows platform that spreads by sending emails using its own SMTP engine and by coping itself to the shared folders. W32/Kedebe-F is a mass-mailing worm for the Windows platform that spreads by sending emails using its own SMTP engine and by coping itself to the shared folders.

W32/Kedebe-F gathers email addresses from files with the following extensions:

.abc
.asp
.dbxm
.dhtm
.doc
.eml
.htm
.inbox
.js
.msg
.nws
.oft
.php
.rtf
.stm
.txt
.vcf
.wab
.xhtm
.xml

W32/Kedebe-F may arrive in an email message with the following characteristics:

From: (constructed from)

adam
Administrator
alex
alice
andrew
anna
bill
bini
bob
brenda
brent
brian
calvin
christoph
claudia
daniel
dave
david
debby
Diversity Visa Lottery
fred
george
helen
jack
james
jane
jerry
jimmy
joe
john
jose
julie
kevin
linda
Mail Administrator
maria
mary
matt
michael
Microsoft Windows Update
mike
peter
ray
robert
sami
sandra
smith
stan
steve
ted
tom

@gto.net.com
@jmc.demon.co.uk
@sv.span.com
@wilma.widomaker.com
@writeme.com
@yahoo.com

Subject line: (one of the following)

**WARNING** Account Currently Disabled
**WARNING** Your Internet account
*Breaking News* Michael Jackson Died
*IMPORTANT* Microsoft Windows Automatic Update disabled
*IMPORTANT* You Won Diversity Visa Lottery!
[No Subject]
Administrator
Author of Mydoom has been ARRESTED!
FOR GIRLS ONLY!!, Boys
FOR THE LAST TIME!!
Fw: Fw: Osama Bin Laden has been arrested!
Fw: Fw: The 'SECRET' behind John Paul's death
I'm going to somewhere
It seems a good day!!
J Lo with no closes ON!!
John Paul's death and the doctors...
let's chat here...
Make sure u are alone
PaRtY tonight??!
Password
Re: hi
RE: the document
WE NEED TO TALK.
Welcome back
You chat room friend
you_lied
Your Information

Message text: (one of the following)

You IP was logged because you accessed porn related sites. Attached is list of sites you visited and information about your Internet account.

I'm back with the password. Hit me back

Attached is a confidential information about the Webs you browsed.

Please, try to forward this document to all your relatives and reveal the truth.

someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.

Hey we need to talk. Read the attachment and hit me back

This is for the last time. Answer me.

Big day huh! What a great surprise! I just read on Arab site that Osama bin laden has been arested by US solders. It's lot to talk here. I just copied the whole text in Notepad and attached it. Nice news huh?!

I don't know how to say it, but it is really annoying thing that happened on John Paul the 2nd. He was killed by two 'doctors' who were hired by some security firms. The text attached contains all the story behind his death.someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.

hey it's me from the chat room, remember? anyway I've sent u my pic. let me know wussup.

i have found a new chat rooms, see you there.

I'm on vacation, what about you? Check out my girl, N-A-K-E-D!!
HeEeLLLoOoOoO! Party tonight???!!! Let me KnOw what's up.

Damn! I Heard that Michael Jackson died this morning. The news says there was an acciedent. I have attached the whole story.
no hay sitio para ...!!

Hey, this is to tell you that the author of the Internet Worm 'MyDoom' has been arrested by Microsoft today. He is an OLD MAN, about 50s.

For girls only!! Are you alone?

We were waiting for u! Group pic available

The mail client cannot display the picture due to high resolution on the graphics. Contents has been attached as a hexadecimal text.

you again!! c ya!

Your mail account will be disabled. See the atta/

You have won the this year's diversity visa lottery. We reommend you to start the process as soon as possible. Read the attached document for more information.

The Visa Lottery Commite.

This message was automatically sent from the Microsoft Windows Update website.

Microsoft Corporation (c) 2001-2005. All rights reserved.

\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef\xff\xff\ xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95\x43\xe2\xfa\x7e\xfa\xa6\ x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e
We have found that Windows Automatic Update is not enabled on your computer and Windows could not update itself. This may have happened because your system is infected with a latest virus. We recommend you to download updates manually and install on your system. We have sent you Microsoft Windows Malicious Software Removal Tool. Scan your system with this software and delete any file detected as virus. Then try to update Windows.

I have attached it
-----Original Message-----
From:
To:
Sent: [Removed]
Subject: the document
Please send me that document

Attached file: (one of the following)

Account.doc
Bin_Laden_Arrested
chat_server
chat_server.txt
details
ditail.txt
document.doc
full_story.doc
Full_Story.doc
group_photo
Hex_Picture.txt
JohnPaul.txt
JohnPaul_Death.Doc
messaggio.doc
Microsoft_Documentation
my_girl.jpg
my_pictur.jpeg
party_location.txt
password.doc
photo.jpg
read_carefully
Removal_tool
where_the_party_is.doc
with_this_girl.jpg
you_lied.txt
your_document.doc

W32/Kedebe-F attempts to end the following processes and delete the files:

AGLE
ALAR
ALERT
ANTI
ANTS
APLICA32
APVXDWIN
ATCON
ATRO55EN
BD_PROFESSIONAL
BIDEF
BIDSERVER
BISP
BLA
BOOTWARN
BORG2
BS120
CCAPP
MON
CLEAN
CMD
COMMAND
CWNT
DEPUTY
DPF
DRWEBUPW
EDIT
ENT
FAST
FIREWALL
FP-WIN_TRIAL
FRW
GBMENU
GBPOLL
GCAS
GUARD
HACKTRACERSETUP
HIJACK
HTLOG
HWPE
IAMAPP
IAMSERV
ICLOAD
ICSSUPPNT
ICSUPP95
ICSUPPNT
IFW2000
IPARMOR
IRIS
JAMMER
KERIO
LDPRO
LLSSEV
LOCALNET
LOCKDOWN
LSETUP
LUALL
LUCOMS
MAIN
MCA
MGR
MGUI
MINILOG
MOOLIVE
MRFLUX
MSCONFIG
MSINFO32
MSSMMC32
MU0311AD
NC2000
NCINST4
NDD32
NETARMOR
NETINFO
NETSTAT
NORTO
MNTOR
NTVDM
NVARCH16
NWINST4
NWTOOL16
OSTRONET
OUTPOST
PANIXK
PDSETUP
PERISCOPE
PERSFW
PLATIN
PORT
PPINUPDT
PPTBC
PPVSTOP
PROC
PROTECT
PROXY
PSPF
PURGE
PVIEW95
REG
RESCUE
RTVSCN95
RULAUNCH
SAFE
SBSERV
SCAN
SETUPVAMEEVAL
SGSSFW32
SHELL
SHN
SMC
SMSRSS
SNDSRVC
SOFI
SOPHO
SPBBCSVC
SPF
SPHINX
SPY
ST2
STINGER
SUPFTRL
SYMA
SYN
TITANIN
TRACERT
TRJSETUP
TROJAN
UNDOBOOT
UPDATE
UPGRADE
VIRUS
ZON

W32/Kedebe-F modifies the Windows HOSTS file in an attempt to prevent access to the following sites:

avp.com
cm2.zonelabs.com
definitions.symantec.com
dispatch.mcafee.com
download.com
download.mcafee.com
download.zonelabs.com
downloads-eu1.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
kaspersky.com
liveupdate.symantecliveupdate.com
mcafee.com
microsoft.com
nai.com
networkassociates.com
rads.mcafee.com
securityresponse.symantec.com
sophos.com
symantec.com
trendmicro.com
update.zonelabs.com
updates.symantec.com
us.mcafee.com
viruslist.com
windowsupdate.com
www.avp.com
www.download.com
www.f-secure.com
www.kaspersky-labs.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.trendmicro.com
www.windowsupdate.com
www.zonelabs.com

The worm creates the following mutexes:

'D'r'o'p'p'e'd'S'k'y'N'e't'
-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
[AN UNPRINTABLE CHARACTER]DroppedKebede[AN UNPRINTABLE CHARACTER]
[AN UNPRINTABLE CHARACTER]FAST[Kebede.E]FAST[AN UNPRINTABLE CHARACTER]
[SkyNet.cz]SystemsMutex
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
____--->>>>U<<<<--_____
~~~Bloodred~~~owns~~~you~~~xoxo~~~2004
43jfds93872
89845848594808308439858307378280987074387498739847
AdmMoodownJKIS003
AdmSkynetJKIS003
AdmSkynetJklS003
DrDetroit[Bloodred.B]
H-e-l-l-B-o-t-3-T-e-a-M!!!
H-e-l-l-B-o-t-3
H-e-l-l-B-o-t
H-E-L-L-T-O-B
Kebede v5.0
Kqlgwqnnvw
LK[SkyNet.cz]SystemsMutex
MI[SkyNet.cz]SystemsMutex
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
NetDy_Mutex_Psycho
NTShell Taskman Startup Mutex
Protect_USUkUyUnUeUtU_Mutex
qwedefacedRDE
SkyNet-Sasser
SkYnEt_AVP
SkynetSasserVersionWithPingFast
SwebSipcSmtxS0
WWWdefacedWWW
Zone Alarm Mutex

The worm copies itself to the Windows system folder with one of the following names:

dlhost.exe
locator.exe
logman.exe
logonui.exe
lsas.exe
nbtstat.exe
recover.exe
regedt32.exe
rundl32.exe
services.exe
svchost.exe
telnet.exe
user.exe
usrinit.exe
winhlp32.exe
winlogon.exe
winspol.exe
wuauclt.exe

The worm copies itself to folders containing the strings "shared" or "download" with some of the following filenames:

DVD ripper keygen.com
Flash MX 2005 Serial.exe
Internet Explorer 7.0 Installer.com
Microsoft AntiSpyware Patch.com
MSN Mesenger 7.0 Installer.com
Naked girls screen saver.scr
Norton Personal Firewal 2005 Patch.com
porn download links.txt
Sasser removal tool.com
Sasser Source Code.Sfx.com
Sasser Source code.txt
School girls getting fucked.com
Spyware remover.com
Turbo C++.pif
UPX EXE packer 2.4.com
W32.Kebede Removal tool.com
Win Server 2003 Remote Exploit.cmd
Windows XP Pro BUG FIX 2.com
WinRAR 4.2.com
ZoneAlarm Security Suite 2005 Crack.com

In order to be able to run automatically when Windows starts up W32/Kedebe-F sets the registry entry with the path to the worm copy:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Run
<path of worm>

HKCU\Software\Microsoft\Windows\CurrentVersion
Run
<path of worm>

The worm changes the following registry entry:

HKLM\SOFTWARE\Microsoft\MediaPlayer\Player
"Player Already Configured"
"True"

The worm deletes the following registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run
MSMSGS
<path of msmsgs.exe>