[virusinfo] W32/Kassbot-C

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 29 Apr 2005 08:55:03 -0700

From; Sophos Alert System:

Name: W32/Kassbot-C
Aliases: Backdoor.Win32.Delf.yo, BackDoor-CPV
Type: Win32 worm
Date: 29 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2005 (3.94) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.


Information about W32/Kassbot-C can be found at:
http://www.sophos.com/virusinfo/analyses/w32kassbotc.html

W32/Kassbot-C is a network worm with a backdoor component. 
When run the worm will copy itself to the Windows system folder as spools.exe. 
W32/Kassbot-C will set the following registry entry in order to run 
automatically each time a user logs in: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Spools Service Controller
%SYSTEM%\spools.exe 
W32/Kassbot-C will send an email to a pre-defined email address containing 
system information from the infected computer. 
W32/Kassbot-C will monitor a user's internet access. When certain internet 
banking and finance sites are accessed, the worm will redirect the user to a 
Russian website with fake login pages or email the stolen details to a Russian 
email address. The banking sites include the following: 
LloydsTSB
NatWest
HSBC
Barclays
Halifax
Citibank
NetBank
EzyBank
Bank One Australia 
W32/Kassbot-C will attempt to spread by exploiting the following
vulnerabilities: 
LSASS (MS04-011 ). 
DCOM (MS04-012 ). 
W32/Kassbot-C will connect to an IRC server and provide backdoor access to the
infected computer. 
W32/Kassbot-C will drop and load a DLL named XEE32.DLL. This file is also 
detected as W32/Kassbot-C. 
W32/Kassbot-C will drop a non-malicious file in the Windows system folder named 
xbccd.log. This file may just be deleted. 
W32/Kassbot-C will append the following lines to the HOSTS file in an attempt 
to block access to anti-virus related websites: 
17.145.117.11 d-ru-1f.kaspersky-labs.com
17.145.117.11 d-ru-1h.kaspersky-labs.com
17.145.117.11 d-ru-2f.kaspersky-labs.com
17.145.117.11 d-ru-2h.kaspersky-labs.com
17.145.117.11 d-eu-2f.kaspersky-labs.com
17.145.117.11 d-eu-2h.kaspersky-labs.com
17.145.117.11 d-eu-1f.kaspersky-labs.com
17.145.117.11 d-eu-1h.kaspersky-labs.com
17.145.117.11 d-us-1f.kaspersky-labs.com
17.145.117.11 d-us-1h.kaspersky-labs.com
17.145.117.11 downloads1.kaspersky.ru
17.145.117.11 downloads2.kaspersky.ru
17.145.117.11 downloads3.kaspersky.ru
17.145.117.11 downloads4.kaspersky.ru
17.145.117.11 downloads5.kaspersky.ru
17.145.117.11 www.kaspersky.ru
17.145.117.11 kaspersky.ru
17.145.117.11 kaspersky-labs.com
17.145.117.11 www.kaspersky-labs.com 

This IDE file also includes detection for:

W32/Rbot-ABI
http://www.sophos.com/virusinfo/analyses/w32rbotabi.html
W32/Sdbot-XN
http://www.sophos.com/virusinfo/analyses/w32sdbotxn.html
W32/Agobot-RT
http://www.sophos.com/virusinfo/analyses/w32agobotrt.html
Troj/Dloader-MV
http://www.sophos.com/virusinfo/analyses/trojdloadermv.html
Troj/Qdown-B
http://www.sophos.com/virusinfo/analyses/trojqdownb.html
Troj/Goldun-S
http://www.sophos.com/virusinfo/analyses/trojgolduns.html
Troj/StartPa-FU
http://www.sophos.com/virusinfo/analyses/trojstartpafu.html
W32/Crowt-D
http://www.sophos.com/virusinfo/analyses/w32crowtd.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/kassbotc.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Kassbot-C
• » [virusinfo] W32/Kassbot-C

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---