From; Sophos Alert System: Name: W32/Kalel-B Type: Win32 worm Date: 5 June 2005 Sophos has issued protection for W32/Kalel-B. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Customers using EM Library, Enterprise Console, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Kalel-B can be found at: http://www.sophos.com/virusinfo/analyses/w32kalelb.html W32/Kalel-B is a mass-mailing worm and backdoor Trojan that also targets peer-to-peer file sharing utilities. W32/Kalel-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Kalel-B displays a message box displaying the following fake error message: Fatal Error: Exception Code=C00000005 Called from - frmimportwizard.pageframe1.page2.command1.click line 70 Called from - mail line 613 W32/Kalel-B contacts the sites www.google.com and search.yahoo.com in order to harvest email addresses. The worm sends itself as an email attachment to these email addresses. Messages are sent with the following subject line: **WARNING** Mailbox Suspension The message text is as follows: This message was created automatically by mail delivery software (TMDA) - do not reply. In order to safeguard your mailbox from unexpected termination, please read the attached document. ++ Attachment: No Virus found ++Norton AntiVirus http://www.symantec.com When first run W32/Kalel-B copies itself to the following locations: <Windows>\system\lsass.exe <Windows>\system\services.exe <Windows>\system\smss.exe W32/Kalel-B may copy itself to any of the following folders: C:\My Downloads\ C:\My Shared Folder\ C:\program files\Ares\My Shared Folder\ C:\program files\BearShare\Shared\ C:\program files\direct connect\received files\ C:\program files\eDonkey2000\incoming\ C:\program files\eMule\Incoming\ C:\program files\gnucleus\downloads\ C:\program files\gnucleus\downloads\incoming\ C:\program files\grokster\my grokster\ C:\program files\grokster\my shared folder\ C:\program files\icq\shared files\ C:\program files\KaZaa Lite\My Shared Folder\ C:\program files\KaZaa\My Shared Folder\ C:\program files\KMD\my shared folder\ C:\program files\limeWire\shared\ C:\program files\Morpheus\my shared folder\ C:\program files\rapigator\share\ C:\program files\shareaza\downloads\ C:\program files\StreamCast\Morpheus\my shared folder\ C:\programmi\Ares\My Shared Folder\ C:\programmi\BearShare\Shared\ C:\programmi\direct connect\received files\ C:\programmi\eDonkey2000\incoming\ C:\programmi\eMule\Incoming\ C:\programmi\gnucleus\downloads\ C:\programmi\gnucleus\downloads\incoming\ C:\programmi\grokster\my grokster\ C:\programmi\grokster\my shared folder\ C:\programmi\icq\shared files\ C:\programmi\KaZaa Lite\My Shared Folder\ C:\programmi\KaZaa\My Shared Folder\ C:\programmi\KMD\my shared folder\ C:\programmi\limeWire\shared\ C:\programmi\Morpheus\my shared folder\ C:\programmi\rapigator\share\ C:\programmi\shareaza\downloads\ C:\Programmi\StreamCast\Morpheus\my shared folder\ C:\shared\ W32/Kalel-B drops the following ZIP files, each containing a copy of the worm: <Windows>\system\rockefeller64.zip <Windows>\system\rockefeller65.zip <Windows>\system\rockefeller66.zip W32/Kalel-B drops the following files, each containing a copy of one of the above ZIP files in uuencoded format: <Windows>\system\rundll16.ref <Windows>\system\rundll32.ref <Windows>\system\rundll64.ref W32/Kalel-B drops a text file ROCKEFELLER.DAT in the folder <Windows>\system. This contains the following text: W32.Rockerfeller@MM+P2P+BACKDOOR+KEYLOGGER W32/Kalel-B may create further files with the following names: <Windows>\system\rfdriver32.dll <Windows>\system\mouse_drv16.ref <Windows>\system\mouse_drv32.ocx <Windows>\system\mouse_drv64.dat The following registry entries are created to run the worm on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Service Controller <Windows>\system\services.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MS Security Authority Service <Windows>\system\lsass.exe HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Windows Session Manager Subsystem <Windows>\system\smss.exe The W32/Kalel-B virus identity file (IDE) includes detection for: W32/Rbot-AEV http://www.sophos.com/virusinfo/analyses/w32rbotaev.html W32/Rbot-AEN http://www.sophos.com/virusinfo/analyses/w32rbotaen.html Troj/Kelvir-AC http://www.sophos.com/virusinfo/analyses/trojkelvirac.html Troj/Chimo-D http://www.sophos.com/virusinfo/analyses/trojchimod.html Customers with 3.xx or lower versions of Sophos Anti-Virus, who are not running EM Library, can manually download the IDE for W32/Kalel-B from: http://www.sophos.com/downloads/ide/kalel-b.ide Read about how to use IDE files at http://www.sophos.com/support/knowledgebase/article/363.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member