Content
W32/Kindal@MM
- Type
- Virus
- SubType
- Discovery Date
- 03/07/2003
- Length
- 936,111 bytes
- Minimum DAT
- 4253 (03/19/2003)
- Updated DAT
- 4320 (01/28/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 03/27/2003
- Description Modified
- 03/27/2003 5:44 PM (PT)
Tab Navigation
Characteristics
This mass-mailing worm sends itself to all users found in the Windows Address Book (WAB) with a variety of possible emails:
Email #1 -
From: The SoftNet Security HQ
MailFrom: d.mike@netsecurityhq.com
Subject: Free Net Security Bullettin Service: New security hole.
Attachment: CP_2OOAF3.exe
Body:
Cumulative Patch: (CP_2OOAF3)
Priority: Medium/High
Patch availability: Win9x/NT/XP
The problems could let an attacker run code on your machine, read certain types of data files on an affected system, or misrepresent the origin of a file offered for download. Please, make sure your system is not affected by this problem by running the attached Analyzer/Patch.
Regards, Email #2 - It was very enjoyable to speak with you tod ay about the assistant account executive position at the Smith Agency. The job seems to be an excellent match for my skills and interests. The creative approach to account management that you described confirmed my desire to work with you.
Please find my updated resume in the attachment.
Sincerely, Email #3 - Let me know what you think ! Email #4 - (It's okay, it's okay. I'm gonna make it anyway.) I've got every ingredient All I need is the courage Email #5 - Ah, I forgot, how's your mum ?
______________________________
When the worm sends an email to each individual entry in the address book, it also puts in the BCC field all other email addresses in the WAB. This would mean that the email would get sent to each address as many times as there are WAB entries, plus one. This is also notable because it would expose every email address in the victim machine's WAB to every other person in that address book.
This worm has its own SMTP engine, and uses the default SMTP account information to find a server to send itself through.
The worm may also try to copy itself to shared folders for KaZaA, Overnet, LimeWire or Morpheus, but this was not observed in testing. If so, it may copy itself using the following list of filenames:
The filenames and email information are all encrypted, so they are not visible within the executable.
When run, the worm copies itself locally: It also creates an empty, hidden folder: It creates a file which contains system date from when the file was run: The worm creates the following registry entries so it will run again on system startup:
The SoftNet Security HQ.
--
Mike Donovald
Softnet Security HQ
email:
From: Wine Richman
MailFrom: w.richman@itoneonline.org
Subject: Wine Richman - my updated resume.
Attachment: Wine_Richman.exe
Body:
Dear Ms. Tempton:
Wine Richman
w.richman@itoneonline.org
File: Wine_Richman.exe ( Selfextracting zip archive )
From: Anne Rosoe
MailFrom: anne_resoe79@hotmail.com
Subject: Hi, news about the party !
Attachment: Party List-Anne.exe
Body:
Hi wazzzup ? As promised I'm sending you the zip with all the details about the party and the list for the things we are still missing.
cheers Anne.
From: Skid Marton [@work]
MailFrom: enemy@8mileroad.ca
Subject: I mate, there you go...
Attachment: This_Is_How_I_Feel-Track-02.remixed.exe
Body:
Lyrics below and audio track file attached. Cya !
Sometimes I just feel, like Quittin I still might
Why do I still write?
And show these people what my level of skill's like
Sometimes I just hate life, Somethin ain't right
I'm goin the fuck home, She don't understand
Time for me to just to take matters into my own hands
Sometimes I get upset I'm just tryin to do what's best
And I try Sit alone and I cry Please I'm beggin you God
Please don't let me be pigeon holdin on regular job
Wherever you are, I'm tellin you dog
Cuz I ain't havin no luck with this so fuck it
From: Stan Crossfert
MailFrom: stan.cros@NO_SPAMrabbitrun.org
Subject: Hi Marshall, here is my project for you to check...
Attachment: ProjectPlans.exe
Body:
Hey ya, check out the attached zip executable. Have a look at the whole thing, but pay attention to Fiona's plans (Folder Fiona\mywishes.txt ). She is going pretty much out of the schemes.
"SysService32" = %WinDir%\systask32l.exe
Symptoms
Method of Infection
The virus spreads via mailing itself to any user found in the Windows Address Book contact list and copying itself to the P2P clients' shared folder, upon execution.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- I-Worm.Kindal (AVP)
- W32.HLLP.Kindal@mm (NAV)
- W32/Kindal (Panda)
Characteristics
Characteristics -
This mass-mailing worm sends itself to all users found in the Windows Address Book (WAB) with a variety of possible emails:
Email #1 -
From: The SoftNet Security HQ
MailFrom: d.mike@netsecurityhq.com
Subject: Free Net Security Bullettin Service: New security hole.
Attachment: CP_2OOAF3.exe
Body:
Cumulative Patch: (CP_2OOAF3)
Priority: Medium/High
Patch availability: Win9x/NT/XP
The problems could let an attacker run code on your machine, read certain types of data files on an affected system, or misrepresent the origin of a file offered for download. Please, make sure your system is not affected by this problem by running the attached Analyzer/Patch.
Regards, Email #2 - It was very enjoyable to speak with you tod ay about the assistant account executive position at the Smith Agency. The job seems to be an excellent match for my skills and interests. The creative approach to account management that you described confirmed my desire to work with you.
Please find my updated resume in the attachment.
Sincerely, Email #3 - Let me know what you think ! Email #4 - (It's okay, it's okay. I'm gonna make it anyway.) I've got every ingredient All I need is the courage Email #5 - Ah, I forgot, how's your mum ?
______________________________
When the worm sends an email to each individual entry in the address book, it also puts in the BCC field all other email addresses in the WAB. This would mean that the email would get sent to each address as many times as there are WAB entries, plus one. This is also notable because it would expose every email address in the victim machine's WAB to every other person in that address book.
This worm has its own SMTP engine, and uses the default SMTP account information to find a server to send itself through.
The worm may also try to copy itself to shared folders for KaZaA, Overnet, LimeWire or Morpheus, but this was not observed in testing. If so, it may copy itself using the following list of filenames:
The filenames and email information are all encrypted, so they are not visible within the executable.
When run, the worm copies itself locally: It also creates an empty, hidden folder: It creates a file which contains system date from when the file was run: The worm creates the following registry entries so it will run again on system startup:
The SoftNet Security HQ.
--
Mike Donovald
Softnet Security HQ
email:
From: Wine Richman
MailFrom: w.richman@itoneonline.org
Subject: Wine Richman - my updated resume.
Attachment: Wine_Richman.exe
Body:
Dear Ms. Tempton:
Wine Richman
w.richman@itoneonline.org
File: Wine_Richman.exe ( Selfextracting zip archive )
From: Anne Rosoe
MailFrom: anne_resoe79@hotmail.com
Subject: Hi, news about the party !
Attachment: Party List-Anne.exe
Body:
Hi wazzzup ? As promised I'm sending you the zip with all the details about the party and the list for the things we are still missing.
cheers Anne.
From: Skid Marton [@work]
MailFrom: enemy@8mileroad.ca
Subject: I mate, there you go...
Attachment: This_Is_How_I_Feel-Track-02.remixed.exe
Body:
Lyrics below and audio track file attached. Cya !
Sometimes I just feel, like Quittin I still might
Why do I still write?
And show these people what my level of skill's like
Sometimes I just hate life, Somethin ain't right
I'm goin the fuck home, She don't understand
Time for me to just to take matters into my own hands
Sometimes I get upset I'm just tryin to do what's best
And I try Sit alone and I cry Please I'm beggin you God
Please don't let me be pigeon holdin on regular job
Wherever you are, I'm tellin you dog
Cuz I ain't havin no luck with this so fuck it
From: Stan Crossfert
MailFrom: stan.cros@NO_SPAMrabbitrun.org
Subject: Hi Marshall, here is my project for you to check...
Attachment: ProjectPlans.exe
Body:
Hey ya, check out the attached zip executable. Have a look at the whole thing, but pay attention to Fiona's plans (Folder Fiona\mywishes.txt ). She is going pretty much out of the schemes.
"SysService32" = %WinDir%\systask32l.exe
Symptoms
Symptoms -
Method of Infection
Method of Infection -
The virus spreads via mailing itself to any user found in the Windows Address Book contact list and copying itself to the P2P clients' shared folder, upon execution.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
