[virusinfo] W32/Kassbot-F

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Thu, 09 Jun 2005 22:18:58 -0700

From; Sophos Alert System:

Name: W32/Kassbot-F
Aliases: BackDoor-CPV, Backdoor.Win32.Delf.aae
Type: Win32 worm
Date: 9 June 2005

Sophos has issued protection for W32/Kassbot-F.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.

Customers using EM Library, Enterprise Console, PureMessage or
any of our Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Kassbot-F can be found at:
http://www.sophos.com/virusinfo/analyses/w32kassbotf.html

W32/Kassbot-F is a network worm with backdoor functionality for the Windows 
platform. 
W32/Kassbot-F runs continuously in the background, providing a backdoor server 
which allows a remote intruder to gain access and control over the computer. 
W32/Kassbot-F includes functionality to access the internet and communicate 
with a remote server via HTTP. 
When first run W32/Kassbot-F copies itself to <Windows system 
folder>\spools.exe and creates the file 
<Windows system folder>\xbccd.log. 
The following registry entry is created to run spools.exe on startup: 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
<Windows system folder>\spools.exe 
W32/Kassbot-F will send an email to a pre-defined email address containing 
system information from the infected computer. 
W32/Kassbot-F will monitor a user's internet access. When certain internet 
banking and finance sites are accessed, the worm will redirect the user to a 
Russian website with fake login pages or email the stolen details to a 
pre-specified email address. The banking sites include the following: 
Bank One Australia
Barclays
Citibank
EzyBank
Halifax
HSBC
LloydsTSB
NatWest
NetBank 
W32/Kassbot-F will attempt to spread by exploiting the LSASS exploits. The 
following patches for the operating system vulnerabilities exploited by 
W32/Kassbot-F can be obtained from the Microsoft website: 
MS04-011 
W32/Kassbot-F will append the following lines to the HOSTS file in an attempt 
toblock access to anti-virus related websites: 
17.145.117.11 d-eu-1f.kaspersky-labs.com
17.145.117.11 d-eu-1h.kaspersky-labs.com
17.145.117.11 d-eu-2f.kaspersky-labs.com
17.145.117.11 d-eu-2h.kaspersky-labs.com
17.145.117.11 d-ru-1f.kaspersky-labs.com
17.145.117.11 d-ru-1h.kaspersky-labs.com
17.145.117.11 d-ru-2f.kaspersky-labs.com
17.145.117.11 d-ru-2h.kaspersky-labs.com
17.145.117.11 d-us-1f.kaspersky-labs.com
17.145.117.11 d-us-1h.kaspersky-labs.com
17.145.117.11 downloads1.kaspersky.ru
17.145.117.11 downloads2.kaspersky.ru
17.145.117.11 downloads3.kaspersky.ru
17.145.117.11 downloads4.kaspersky.ru
17.145.117.11 downloads5.kaspersky.ru
17.145.117.11 kaspersky-labs.com
17.145.117.11 kaspersky.ru
17.145.117.11 www.kaspersky-labs.com
17.145.117.11 www.kaspersky.ru 

The W32/Kassbot-F virus identity file (IDE) includes detection for:


W32/Rbot-AEZ
http://www.sophos.com/virusinfo/analyses/w32rbotaez.html
W32/Nanpy-C
http://www.sophos.com/virusinfo/analyses/w32nanpyc.html
Troj/StartPa-GU
http://www.sophos.com/virusinfo/analyses/trojstartpagu.html
W32/Nanpy-D
http://www.sophos.com/virusinfo/analyses/w32nanpyd.html
Troj/ServU-AW
http://www.sophos.com/virusinfo/analyses/trojservuaw.html
Troj/Dloader-YY
http://www.sophos.com/virusinfo/analyses/trojdloaderyy.html

Customers with 3.xx or lower versions of Sophos Anti-Virus, 
who are not running EM Library, can manually download the IDE
for W32/Kassbot-F from:

http://www.sophos.com/downloads/ide/kassbo-f.ide

Read about how to use IDE files at
http://www.sophos.com/support/knowledgebase/article/363.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Kassbot-F

1. Home
2. virusinfo
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---