stay the infection.  beat the mailer.         

    vectorblog  about  contact

 

MSN Search

BACK TO MALAGENT ARCHIVE

 

 

 

 

 


Kedebe Alert

infectionvectors.com

April 2005

Update: May 2005

 

Vector:             Mass Mail

 

Impact:             Medium (kills security application processes, resource consumption)

 

A mass mailer of fairly common construction, Kedebe carries 9 possible subject lines to go with 8 message bodies (one of which deals with Michael Jackson, another with a “Virus” found on the user’s box), and 7 attachment names. The email arrives “from” one of the following:

 

Internet Explorer Team iexplorer@microsoft.com

The Jackson Brothers  jackoonfive@micaeljackoon.com

Secqrity Response secqrity@microsoft.com

Secqrity Team

 

Or by crafting the address from:

 

daniel_kqql

helen

helen_2002

helina_sexy

joe_ooql

michael

oamqel_99

 

and appending it with one of the following domains:

 

@gmail.com

@hotmail.com

@msn.com

@yahoo.com

aol.com

fastmail.fm

mail.com

myway.com

yahoo.co.qk

 

Kedebe modifies the HOSTS file of the infected device to prevent connections to security update sites and kills processes associated with antivirus/firewall software. Of note in the worm is the addition to the anti-Beagle/MyDoom war:

 

Properly infected. Kill those fools, Mydoom-er and Bagle-r!! They're DEAD!! EthioLove.X!!

 

This line is included as a text file, dropped onto the infected device.

 

For additional details relating to cleanup, see:

 

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM

%5FKEDEBE%2EA&VSect=Sn

 

Update: May 2005

 

Kedebe.C drops a new text file, containing the following line:

 

Please, Symantec stop doing definitions for my worm. I'm trying to fight Mydoom and Beagle!! And I appriciate your work!!

 

Kedebe.C prevents the local box from accessign numerous security providers' sites (like Symantec, McAfee, Zonelabs, Sophos, Kaspersky, Microsoft's Windows Update, etc.), it opens a backdoor which allows for remote command execution (including what appears to be a routine that swaps the left-click/right-click functions of the local mouse, attempts to kill the Microsoft/Giant Anti-Spyware tool and Zone Alarm products, tries to shutdown the Symantec opscan process (opscan prevents outside applications from messing with the AV scanner), and changes the local machine's ownership info by adjusting 2 Registry values (for W2K/XP users):

HKLM\Software\Microsoft\Windows NT\CurrentVersion

RegisteredOrganization = "The Kebede Team 2005"
RegisteredOwner = "BiniDogg"

 

BACK TO MALAGENT ARCHIVE

Copyright Ó 2005 infectionvectors.com. All rights reserved.