[virusinfo] W32/Kalel-B

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Sun, 05 Jun 2005 20:32:15 -0700

From; Sophos Alert System:

Name: W32/Kalel-B
Type: Win32 worm
Date: 5 June 2005

Sophos has issued protection for W32/Kalel-B.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Kalel-B can be found at:
http://www.sophos.com/virusinfo/analyses/w32kalelb.html

W32/Kalel-B is a mass-mailing worm and backdoor Trojan that also targets 
peer-to-peer file sharing utilities. 
W32/Kalel-B runs continuously in the background, providing a backdoor server 
which allows a remote intruder to gain access and control over the computer. 
W32/Kalel-B displays a message box displaying the following fake error message: 
Fatal Error: Exception Code=C00000005
Called from - frmimportwizard.pageframe1.page2.command1.click line 70
Called from - mail line 613 
W32/Kalel-B contacts the sites www.google.com and search.yahoo.com in order to 
harvest email addresses. The worm sends itself as an email attachment to these 
email addresses. 
Messages are sent with the following subject line: 
**WARNING** Mailbox Suspension 
The message text is as follows: 
This message was created automatically by mail delivery software (TMDA) - do 
not reply.
In order to safeguard your mailbox from unexpected termination, please read the 
attached document. 
++ Attachment: No Virus found
++Norton AntiVirus
http://www.symantec.com 
When first run W32/Kalel-B copies itself to the following locations: 
<Windows>\system\lsass.exe
<Windows>\system\services.exe
<Windows>\system\smss.exe 
W32/Kalel-B may copy itself to any of the following folders: 
C:\My Downloads\
C:\My Shared Folder\
C:\program files\Ares\My Shared Folder\
C:\program files\BearShare\Shared\
C:\program files\direct connect\received files\
C:\program files\eDonkey2000\incoming\
C:\program files\eMule\Incoming\
C:\program files\gnucleus\downloads\
C:\program files\gnucleus\downloads\incoming\
C:\program files\grokster\my grokster\
C:\program files\grokster\my shared folder\
C:\program files\icq\shared files\
C:\program files\KaZaa Lite\My Shared Folder\
C:\program files\KaZaa\My Shared Folder\
C:\program files\KMD\my shared folder\
C:\program files\limeWire\shared\
C:\program files\Morpheus\my shared folder\
C:\program files\rapigator\share\
C:\program files\shareaza\downloads\
C:\program files\StreamCast\Morpheus\my shared folder\
C:\programmi\Ares\My Shared Folder\
C:\programmi\BearShare\Shared\
C:\programmi\direct connect\received files\
C:\programmi\eDonkey2000\incoming\
C:\programmi\eMule\Incoming\
C:\programmi\gnucleus\downloads\
C:\programmi\gnucleus\downloads\incoming\
C:\programmi\grokster\my grokster\
C:\programmi\grokster\my shared folder\
C:\programmi\icq\shared files\
C:\programmi\KaZaa Lite\My Shared Folder\
C:\programmi\KaZaa\My Shared Folder\
C:\programmi\KMD\my shared folder\
C:\programmi\limeWire\shared\
C:\programmi\Morpheus\my shared folder\
C:\programmi\rapigator\share\
C:\programmi\shareaza\downloads\
C:\Programmi\StreamCast\Morpheus\my shared folder\
C:\shared\ 
W32/Kalel-B drops the following ZIP files, each containing a copy of the worm: 
<Windows>\system\rockefeller64.zip
<Windows>\system\rockefeller65.zip
<Windows>\system\rockefeller66.zip 
W32/Kalel-B drops the following files, each containing a copy of one of the 
above ZIP files in uuencoded format: 
<Windows>\system\rundll16.ref
<Windows>\system\rundll32.ref
<Windows>\system\rundll64.ref 
W32/Kalel-B drops a text file ROCKEFELLER.DAT in the folder <Windows>\system. 
This contains the following text: 
W32.Rockerfeller@MM+P2P+BACKDOOR+KEYLOGGER 
W32/Kalel-B may create further files with the following names: 
<Windows>\system\rfdriver32.dll
<Windows>\system\mouse_drv16.ref
<Windows>\system\mouse_drv32.ocx
<Windows>\system\mouse_drv64.dat 
The following registry entries are created to run the worm on startup: 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Windows Service Controller
<Windows>\system\services.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MS Security Authority Service
<Windows>\system\lsass.exe 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Windows Session Manager Subsystem
<Windows>\system\smss.exe 

The W32/Kalel-B virus identity file (IDE) includes detection for:


W32/Rbot-AEV
http://www.sophos.com/virusinfo/analyses/w32rbotaev.html
W32/Rbot-AEN
http://www.sophos.com/virusinfo/analyses/w32rbotaen.html
Troj/Kelvir-AC
http://www.sophos.com/virusinfo/analyses/trojkelvirac.html
Troj/Chimo-D
http://www.sophos.com/virusinfo/analyses/trojchimod.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Kalel-B from:

http://www.sophos.com/downloads/ide/kalel-b.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Kalel-B

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---