Enciclopedia de Virus
Bienvenido a la Enciclopedia de Virus del Laboratorio de Panda Security.
Efectos
Kedebe.B realiza las siguientes acciones:
- Finaliza los siguientes procesos, si se encuentran activos en memoria:
AGENTSVR.EXE, ANTIVIRUS.EXE, ASFAgent.exe, ATWATCH.EXE, avserve2.exe, CCAPP.EXE, CCEVTMGR.EXE, CCSETMGR.EXE, CLEAN.EXE, DAP.EXE, ESCANH95.EXE, EXANTIVIRUS-CNET.EXE, FLOWPROTECTOR.EXE, FP-WIN_TRIAL.EXE, FSAV530STBYB.EXE, gcasDtServ.exe, gcasServ.exe, gcasServAlert.exe, GIANTAntiSpywareMain.exe, GIANTAntiSpywareUpdater.exe, HACKTRACERSETUP.EXE, isafe.exe, KILLPROCESSSETUP161.EXE, LLSSev.exe, LUALL.EXE, LUCOMS~1.EXE, LUCOMSERVER.EXE, LXER32.VAV, mantispm.exe, MCUPDATE.EXE, MSSMMC32.EXE, NAVAPSVC.EXE, NETMON.EXE, NETSPYHUNTER-1.2.EXE, NMAIN.EXE, NORTON_INTERNET_SECU_3.0_407.EXE, NPFMNTOR.EXE, NPROTECT.EXE, NUPGRADE.EXE, OPScan.exe, OSTRONET.EXE, PENIS32.EXE, PROCEXPLORERV1.0.EXE, PROPORT.EXE, RESCUE.EXE, Rtvscan.exe, SHELLSPYINSTALL.EXE, SNDSrvc.exe, SPBBCSvc.exe, SPYXX.EXE, SYMPROXYSVC.EXE, TASKMGR.EXE, TRJSCAN.EXE, TROJANTRAP3.EXE, vsmon.exe, WATCHDOG.EXE, WEBSCANX.EXE, WHOSWATCHINGME.EXE, zlclient.exe, ZONALM2601.EXE, ZONEALARM.EXE.
Estos procesos pertenecen en su mayoría a herramientas de seguridad, como programas antivirus y cortafuegos, entre otros, y finalizarlos deja al ordenador afectado vulnerable frente al ataque de otro malware. - Impide que el usuario al usuario acceder a las siguientes páginas web, la mayoría de las cuales pertenecen a empresas de seguridad informática:
checkpoint.com
cm2.zonelabs.com
download.mcafee.com
download.zonelabs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
downloads4.kaspersky-labs.com
downloads-eu1.kaspersky-labs.com
downloads-us1.kaspersky-labs.com
hotmail.com
kaspersky.com
liveupdate.symantecliveupdate.com
mcafee.com
microsoft.com
nai.com
networkassociates.com
securityresponse.symantec.com
sophos.com
symantec.com
update.zonelabs.com
updates.symantec.com
viruslist.com
windowsupdate.com
www.checkpoint.com
www.f-secure.com
www.hotmail.com
www.kaspersky.com
www.mcafee.com
www.microsoft.com
www.nai.com
www.networkassociates.com
www.sophos.com
www.symantec.com
www.windowsupdate.com
www.yahoo.com
www.zonelabs.com
yahoo.com
zonelabs.com
Metodo de Infección
Kedebe.B crea los siguientes archivos en el directorio de sistema de Windows:
- Un archivo de nombre aleatorio, perteneciente a la siguiente lista:
AVMON.EXE, CUAPP.EXE, DWRMGR32.EXE, GCASAV32.EXE, GCASCTRL.EXE, KERNE132.EXE, LUCOMS~2.EXE, MSCPPMGR.EXE, MSSCAN.EXE, NETM0N.EXE, VCTRL.EXE, WINSSC32.EXE, WINXPLT.EXE, ZLBCLIENT.EXE.
Este archivo es una copia del gusano. - WIN32INFCHKR.EXE. Este archivo, que aunque simula ser ejecutable, es en realidad un archivo de texto, contiene las siguientes frases en su interior:
Properly infected. Kill those fools, Mydoom-er and Bagle-r!! They're DEAD!! EthioLove.X!!
Kedebe.B borra los siguientes archivos, si existen:
- GIANTANTISPYWAREMAIN.EXE, GIANTANTISPYWAREUPDATER.EXE, MANTISPM.EXE.
Kedebe.B modifica el archivo HOSTS, para impedir el acceso a determinadas páginas web.
Kedebe.B crea las siguientes entradas en el Registro de Windows:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Windows Console Monitor = %sysdir%\ %nombre%
HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
load = %sysdir%\ %nombre%
donde %sysdir% es el directorio de sistema de Windows y %nombre% es el nombre aleatorio de la copia del gusano.
Mediante estas entradas, Kedebe.B consigue ejecutarse cada vez que Windows se inicia. - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOrganization = Ethiopian H@cker - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion
RegisteredOwner = BiniDogg
Método de Propagación
Kedebe.B se propaga a través del correo electrónico. Para ello, realiza el siguiente proceso:
Llega al ordenador en un mensaje con las siguientes características:
Remitente:
Kedebe.B falsifica la dirección desde la que es enviado. Puede ser una de las siguientes:
Internet Explorer Team iexplorer@microsoft.com
jackoonfive@micaeljackoon.com
Secqrity Response secqrity@microsoft.com
Secqrity Team
The Jackson Brothers
o estar compuesta mediante una lista de nombres y dominios:
Posibles nombres: daniel_kqql, helen, helen_2002, helina_sexy, joe_ooql, michael, oamqel_99.
Posibles dominios: @gmail.com, @hotmail.com, @msn.com, @yahoo.com, aol.com, fastmail.fm, mail.com, myway.com, yahoo.co.qk.
Asunto: uno de los siguientes:
Attention!
Attention! Your Internet account has been...
Don't send this to me again!
I have received your mail.
I'm still waiting for your reply...
Internet Explorer 7.0 on the row!!
Mail server upgrading info.
Sign a petition for Micael Jackson
Urgent! Symantec Security Response.
Contenido: uno de los siguientes:
Hey, why did you send this to me? I'm not going to talk to you again. You know I don't like such kinda pics. I have painted a reply on it. I have also covered the nasty parts with dark color. Anyway check it out it is all in the attachment. Please don't send this kind of pictures to me.
Hi, how are you? I'm fine. Why didn't you reply to me? I'm still waiting...by the way I have sent you my recent picture with the close that like most on. Please reply to me, I'm still waiting for you. I will send you another picture next time you reply, OK.
I don't think you know me. But one thing is happening to me. It's your mail appearing in my inbox. I am pissed off right now.
Dear customer,
I think it is business related mail, but I don't have the habit to read someone else's mail. So I have downloaded put it in the and about the 'Genuine Microsoft' product information consult the attached file. Download mirrors are also included. So, I want you to do something. Either change your email or change your SMTP server, in that way I may get rest and If you can't read the above message, then your E-Mail Server is not capable of decrypting secured E-Mails. Consult the so you may get your mail. But if you don't, I'm not going to send you the message rather I am going to put it to spam. Please be fast, it's making my mail box out of space. Thanks in advance.
Microsoft Internet Explorer 7.0 Beta has been ready for download from the Microsoft Web site. How to download Microsoft Windows Security Agent. All Rights Reserved 2005.
attached secured file for the same message content.
We have been working hard to prevent you from computer Viruses, Trojans and Internet Worms. But we have found a new and different computer Virus spreading through the Internet, which cannot be detect by any AnitVirus softwares other than Norton. This Worm has been on the Internet since last month. Considering this, Symantec has prepared a zipped 'Patch' that works for all AntiVirus softwares including, Sophos and McAfee. Symantc strongly recommand you to download and install this patch. But if your computer is already infected then this patch will not work. Furthermore, it is hard to remove the Virus after being infected. Do not wait untill your computer gets infected. NOTE: This is a freeware. You can share with any of your relatives.
Symantec Security Response Team. All Rights Reserved.
Dear user,
This is to inform you that we are planning to clean the server (http://%dirección web aleatoria%) for Viruses. During this time the server may be closed. So we have created a temporary mail account for you on a temporary server. In this case, your current ID, will be used but you'll need to log in on another server. How to perform this task, the temporary mail server address and your temporary mail ID is in the attached file. Follow the clearly organised steps in the attachment to log on to our temporary mail server. Be careful! This server is going to be closed in three days as you might not get this file until we upgrade this server. If you encounter any problem during the process, please contact:%nombre aleatorio%Sorry for the inconveniences you encounted.
As you know Michael is innocent. And if you believe he is innocent please sign the petition and e-mail us. Please, it won't take a minute. Name of people who have signed and the electronic form is in the attachment. If you do no agree that he is innocent, please fill in the form and let us know what your attitude is. Thank you in advance!
The Michael Jackson Commite 2005.
Archivo adjunto: uno de los siguientes:
NORTON ANTIVIRUS 2006 CRACK.EXE
NAKED TEEN-ACTIONS.COM
ZONEALARM SECURITY SUITE 2005 CRACK.COM
WIN SERVER 2003 REMOTE EXPLOIT.CMD
MICROSOFT ANTISPYWARE CRACK.COM
DVD TO MP3 CONVERTER.EXE
ADMINI PASSWORD CRACKER.EXE
El ordenador queda afectado cuando se ejecuta el archivo adjunto.
Kedebe.B busca direcciones de correo electrónico en archivos con las siguientes
extensiones:
ABC, ASP, DHTM, DOC, EML, HTM, HTML, PHP, RTF, STM, TXT, VCF, WAB, XHHM.
Kedebe.B envía una copia de sí mismo a todas las direcciones que ha recogido.
Otros Detalles
Kedebe.B está escrito en el lenguaje de programación Visual Basic v6. Este gusano tiene un tamaño de 45056 Bytes, y está comprimido mediante UPX.
Kedebe.B crea los siguientes mutex, para asegurarse de que únicamente haya una copia del gusano activa. Además, consigue que no se ejecuten otros gusanos (particularmente Mytob y Netsky) que utilizan dichos nombres para sus propios mutex:
H-E-L-L-B-O-T
-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
[SkyNet.cz]SystemsMutex
AdmSkynetJklS003