Content

W32/Kalel.a@MM

Type
Virus
SubType
Email
Discovery Date
05/30/2005
Length
101,376
Minimum DAT
4502 (05/30/2005)
Updated DAT
4535 (07/14/2005)
Minimum Engine
5.1.00
Description Added
05/30/2005
Description Modified
05/31/2005 3:13 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a mass-maiing worm.

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: **WARNING** Mailbox Suspension

Body:
This message was created automatically by mail delivery software (TMDA) - do not reply.
In order to safeguard your mailbox from unexpected termination, please read the attached document.

++ Attachment: No Virus found
++Norton AntiVirus
http://www.symantec.com

Attachment: UserPolicy.zip (uuencoded)
The zip file contains one of the following file names:

  • readme.pif
  • readme.txt .scr
  • readme.scr

Installation

When the attachment is run, the virus copies itself to the Windows directory.

  • C:\Windows\system\smss.exe
  • C:\Windows\system\services.exe
  • C:\Windows\system\lsass.exe
It also creates the following files.
  • C:\Windows\system32\kbtrace32.ref (keyboard log file)
  • C:\Windows\system32\rundll16.ref (uuencoded copies of itself)
  • C:\Windows\system32\rundll32.ref (uuencoded copies of itself)
  • C:\Windows\system32\rundll64.ref (uuencoded copies of itself)
  • C:\Windows\system32\rockefeller.dat text file
  • C:\Windows\\system\rfdriver32.dll
  • C:\Windows\\system\rfdriver16.dll
  • C:\Windows\\system32\rockefeller66.zip
  • C:\Windows\\system32\rockefeller65.zip
  • C:\Windows\\system32\rockefeller64.zip
  • C:\Windows\\system32\mouse_drv64.dat
  • C:\Windows\\system32\mouse_drv32.ocx
  • C:\Windows\\system32\mouse_drv16.ref

Registry keys are created to load the worm at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows Service Controller" = C:\WINDOWS\system\services.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MS Security Authority Service" =C:\WINDOWS\system\lsass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Windows Session Manager Subsystem" = C:\WINDOWS\system\smss.exe

Symptoms

This worm runs notepad.exe and displays the following message:

The worm runs a backdoor at tcp/4784 and a keylogger. It then terminates the following processes.

  • WinStart
  • Norton Antivirus AV
  • winshost.exe
  • HELLBOT TEST
The worm also attemps to access http://search.yahoo.com.

Method of Infection

The mailing component avoids certain address, those using the following strings:

  • .edu
  • .gov
  • .mil
  • .qmail@
  • @angelfire.com
  • @cisco.com
  • @cpan.org
  • @eff.org
  • @ethereal.com
  • @example.
  • @foo.
  • @geocities.
  • @gnu.org
  • @hotmail
  • @iana
  • @lists.
  • @lucent.com
  • @msn.com
  • @perl.org
  • @python.org
  • @relay
  • @sun.com
  • @tcpdump.org
  • @www
  • @yahoo
  • abuse
  • admin@
  • advertising@
  • anyone
  • anywhere
  • aol.com
  • arin.
  • bsd.org
  • bugs@
  • cert.org
  • certs@
  • contact@
  • customer@
  • daemon
  • domain.
  • drsolomon
  • example
  • excite.com
  • feedback@
  • f-prot
  • google
  • grisoft.com
  • help@
  • ibm.com
  • info@
  • kaspersky
  • linux
  • lycos.com
  • master
  • mcafee
  • microsoft
  • mozilla
  • msdn
  • netscape
  • news
  • nobody
  • noreply
  • nothing
  • panda
  • password
  • rating@
  • report
  • ripe-
  • ripe.
  • root@
  • sales@
  • secur
  • sendmail
  • service@
  • sophos
  • sourceforge
  • spam
  • submit
  • subscribe
  • support
  • symantec
  • test@
  • unix
  • user@
  • virus
  • whatever@
  • whoever@
  • yourname

The virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • smtp.
  • mail.

The worm also attempts to copy itself to the following P2P application shared folders.

  • c:\My Downloads\
  • c:\My Shared Folder\
  • c:\program files\Ares\My Shared Folder\
  • c:\program files\BearShare\Shared\
  • c:\program files\direct connect\received files\
  • c:\program files\eDonkey2000\incoming\
  • c:\program files\eMule\Incoming\
  • c:\program files\gnucleus\downloads\
  • c:\program files\gnucleus\downloads\incoming\
  • c:\program files\grokster\my grokster\
  • c:\program files\grokster\my shared folder\
  • c:\program files\icq\shared files\
  • c:\program files\KaZaa Lite\My Shared Folder\
  • c:\program files\KaZaa\My Shared Folder\
  • c:\program files\KMD\my shared folder\
  • c:\program files\limeWire\shared\
  • c:\program files\Morpheus\my shared folder\
  • c:\program files\rapigator\share\
  • c:\program files\shareaza\downloads\
  • c:\program files\StreamCast\Morpheus\my shared folder\
  • c:\programmi\Ares\My Shared Folder\
  • c:\programmi\BearShare\Shared\
  • c:\programmi\direct connect\received files\
  • c:\programmi\eDonkey2000\incoming\
  • c:\programmi\eMule\Incoming\
  • c:\programmi\gnucleus\downloads\
  • c:\programmi\gnucleus\downloads\incoming\
  • c:\programmi\grokster\my grokster\
  • c:\programmi\grokster\my shared folder\
  • c:\programmi\icq\shared files\
  • c:\programmi\KaZaa Lite\My Shared Folder\
  • c:\programmi\KaZaa\My Shared Folder\
  • c:\programmi\KMD\my shared folder\
  • c:\programmi\limeWire\shared\
  • c:\programmi\Morpheus\my shared folder\
  • c:\programmi\rapigator\share\
  • c:\programmi\shareaza\downloads\
  • c:\Programmi\StreamCast\Morpheus\my shared folder\
  • c:\shared\

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This detection is for a mass-maiing worm.

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the apparent sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

Subject: **WARNING** Mailbox Suspension

Body:
This message was created automatically by mail delivery software (TMDA) - do not reply.
In order to safeguard your mailbox from unexpected termination, please read the attached document.

++ Attachment: No Virus found
++Norton AntiVirus
http://www.symantec.com

Attachment: UserPolicy.zip (uuencoded)
The zip file contains one of the following file names:

  • readme.pif
  • readme.txt .scr
  • readme.scr

Installation

When the attachment is run, the virus copies itself to the Windows directory.

  • C:\Windows\system\smss.exe
  • C:\Windows\system\services.exe
  • C:\Windows\system\lsass.exe
It also creates the following files.
  • C:\Windows\system32\kbtrace32.ref (keyboard log file)
  • C:\Windows\system32\rundll16.ref (uuencoded copies of itself)
  • C:\Windows\system32\rundll32.ref (uuencoded copies of itself)
  • C:\Windows\system32\rundll64.ref (uuencoded copies of itself)
  • C:\Windows\system32\rockefeller.dat text file
  • C:\Windows\\system\rfdriver32.dll
  • C:\Windows\\system\rfdriver16.dll
  • C:\Windows\\system32\rockefeller66.zip
  • C:\Windows\\system32\rockefeller65.zip
  • C:\Windows\\system32\rockefeller64.zip
  • C:\Windows\\system32\mouse_drv64.dat
  • C:\Windows\\system32\mouse_drv32.ocx
  • C:\Windows\\system32\mouse_drv16.ref

Registry keys are created to load the worm at startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows Service Controller" = C:\WINDOWS\system\services.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MS Security Authority Service" =C:\WINDOWS\system\lsass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "Windows Session Manager Subsystem" = C:\WINDOWS\system\smss.exe

Symptoms

Symptoms -

This worm runs notepad.exe and displays the following message:

The worm runs a backdoor at tcp/4784 and a keylogger. It then terminates the following processes.

  • WinStart
  • Norton Antivirus AV
  • winshost.exe
  • HELLBOT TEST
The worm also attemps to access http://search.yahoo.com.

Method of Infection

Method of Infection -

The mailing component avoids certain address, those using the following strings:

  • .edu
  • .gov
  • .mil
  • .qmail@
  • @angelfire.com
  • @cisco.com
  • @cpan.org
  • @eff.org
  • @ethereal.com
  • @example.
  • @foo.
  • @geocities.
  • @gnu.org
  • @hotmail
  • @iana
  • @lists.
  • @lucent.com
  • @msn.com
  • @perl.org
  • @python.org
  • @relay
  • @sun.com
  • @tcpdump.org
  • @www
  • @yahoo
  • abuse
  • admin@
  • advertising@
  • anyone
  • anywhere
  • aol.com
  • arin.
  • bsd.org
  • bugs@
  • cert.org
  • certs@
  • contact@
  • customer@
  • daemon
  • domain.
  • drsolomon
  • example
  • excite.com
  • feedback@
  • f-prot
  • google
  • grisoft.com
  • help@
  • ibm.com
  • info@
  • kaspersky
  • linux
  • lycos.com
  • master
  • mcafee
  • microsoft
  • mozilla
  • msdn
  • netscape
  • news
  • nobody
  • noreply
  • nothing
  • panda
  • password
  • rating@
  • report
  • ripe-
  • ripe.
  • root@
  • sales@
  • secur
  • sendmail
  • service@
  • sophos
  • sourceforge
  • spam
  • submit
  • subscribe
  • support
  • symantec
  • test@
  • unix
  • user@
  • virus
  • whatever@
  • whoever@
  • yourname

The virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

  • smtp.
  • mail.

The worm also attempts to copy itself to the following P2P application shared folders.

  • c:\My Downloads\
  • c:\My Shared Folder\
  • c:\program files\Ares\My Shared Folder\
  • c:\program files\BearShare\Shared\
  • c:\program files\direct connect\received files\
  • c:\program files\eDonkey2000\incoming\
  • c:\program files\eMule\Incoming\
  • c:\program files\gnucleus\downloads\
  • c:\program files\gnucleus\downloads\incoming\
  • c:\program files\grokster\my grokster\
  • c:\program files\grokster\my shared folder\
  • c:\program files\icq\shared files\
  • c:\program files\KaZaa Lite\My Shared Folder\
  • c:\program files\KaZaa\My Shared Folder\
  • c:\program files\KMD\my shared folder\
  • c:\program files\limeWire\shared\
  • c:\program files\Morpheus\my shared folder\
  • c:\program files\rapigator\share\
  • c:\program files\shareaza\downloads\
  • c:\program files\StreamCast\Morpheus\my shared folder\
  • c:\programmi\Ares\My Shared Folder\
  • c:\programmi\BearShare\Shared\
  • c:\programmi\direct connect\received files\
  • c:\programmi\eDonkey2000\incoming\
  • c:\programmi\eMule\Incoming\
  • c:\programmi\gnucleus\downloads\
  • c:\programmi\gnucleus\downloads\incoming\
  • c:\programmi\grokster\my grokster\
  • c:\programmi\grokster\my shared folder\
  • c:\programmi\icq\shared files\
  • c:\programmi\KaZaa Lite\My Shared Folder\
  • c:\programmi\KaZaa\My Shared Folder\
  • c:\programmi\KMD\my shared folder\
  • c:\programmi\limeWire\shared\
  • c:\programmi\Morpheus\my shared folder\
  • c:\programmi\rapigator\share\
  • c:\programmi\shareaza\downloads\
  • c:\Programmi\StreamCast\Morpheus\my shared folder\
  • c:\shared\

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A