Enterasys - Secure Networks

There is nothing more important than our customers.
Skip to content

ENSRT Incident Note ETS-i-2005-12568

The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.

Worm - W32.Kedebe.B@mm

Release Date: 05/06/2005
Last Updated:

Print this alert

Overview

The W32.Kedebe.B@mm worm propagates by sending copies of itself via e-mail using an embedded SMTP engine. Furthermore, the worm threatens system security by deleting security related files, preventing Internet access to security sites, as well as installing a trojan.

Details below describe the characteristics of the W32.Kedebe.B@mm worm as well as provide detection, containment, and prevention techniques available through Enterasys Secure Networks solutions.

Systems affected

Windows operating systems

Systems not affected

Linux and MAC/OSX

Description

The W32.Kedebe@mm worm arrives on the user's PC via an e-mail with an enclosed attachment. If the attachment is executed, the Microsoft Windows PC will become infected.

The worm e-mail message contains one of the following Subject lines:

- Invalid MIME version indiacted.
- Failure delivery
- Mail Delivery Subsystem
- Symantec Security Response. Urgent!
- Mail server changing information

The worm e-mail contains one of the following message bodies:

- "Invalid MIME version indicated. Original message has been sent as Base64 encoded attachment"

- "Unable to deliver e-mail to the following user:
Reason: mail server rejected your e-mail due to unknown font type you used.(SMTP-ERROR: 453)
This is common to happen on some mail servers with no decoder currently installed. We recommend you to correct the errors indicated in the attachment and send again. If this problem continues to happen, you can use our special-font to PDF convertor from the Web site .
Virtually yours
technical support team."

- "Dear customer,
We have been working hard to prevent you from computer Viruses, Trojan horses and Internet Worms.
But we have found a new and different computer Virus spreading through the Internet-which cannot
be detected by any AnitVirus softwares other than Norton
This Worm has been on the Internet since last month. Considering this, Symantec Security Response has prepared
'Patch' that works for all AntiVirus softwares including, Sophos and McAfee
Symantec strongely recommend you to download and install this patch.
But if your computer is already infected then this patch will not work. Furthermore, the new variant is hard to be removed after being infected. Do not wait untill your computer gets infected.
NOTE: This is a freeware. You can share it with any of your relatives, provided you keep the copy right notice "AS IS".
Symantec Security Response Team. All Rights Reserved."

- "Dear user,
This is to inform you that we are planning to clean the mail server
for Viruses. During this time the server may be down. So we have created a temporary mail account for you on a temporary server. In this case, your current ID,
will be used but you'll need to log on to another server. How to perform this operation, the temporary mail server address and your temporary mail ID is in the attached file.
Follow the clearly organised steps in the attachment to log on to our temporary mail server. Be careful! This server is going to be closed in about three days, as you might not be able to log on until we upgrade the server.
If you encounter any problem during the process, please contact:
Sorry for the inconveniences you encountered."

Once the worm has been executed, the following actions are taken against the infected PC.

1) Copies itself with one of many possible filenames into the Windows system folder.
2) Creates copies of itself in any folders on the infected machine that contan the string "shar" or "users".
3) Creates registry entries to ensure that the worm is restarted on every Windows system start.
4) Gathers e-mail addresses from system files on the infected machine to use in the e-mail propagation process.
5) Propagates the worm via e-mail to the collected addresses.
6) Opens a trojan on a random TCP port allowing for a remote attacker to execute commands on the infected PC.
7) Terminates numerous security related services.
8) Modifies the Windows "hosts" file to block Internet traffic to security related WEB sites.
9) Attempts to delete certain files and folders related to security software.
10) Displays the message "Windows could not locate the requiered DLL: wrong platform selected."

Threat Assessment

Mass-mailing worms if not addressed through prudent remediation steps may congest mail servers and/or degrade network performance. Mass-mailing worms may impact individual system performance and compromise security settings allowing unauthorized remote access to the compromised host.

Trojans or backdoor listeners if not addressed through prudent remediation steps, can compromise network and host security. Additionally, trojans and backdoor listeners potentially allow theft of information, unauthorized remote access, and damage to critical files.

Remediation

Matrix N7
 X
Matrix E7
 X
Matrix E6
 X
Matrix E5
 X
Matrix E1
 X
VH
 X
C-Series
X

Detection

Specific Dragon signatures that detect the W32.Kedebe.B@mm worm can be retrieved via Dragon Live Update and are located in the Master Library within the ENSRT category. The four signatures with the prefix "ENSRT:W32-KEDEBE-B" can be copied into a custom library and deployed on a Dragon network sensor that is protecting the enterprise SMTP server to detect end-user class machines which have become infected with the worm.

If utilizing Dynamic Intrusion Response (DIR), a Dragon Alarmtool policy that consists of an event group that contains all of the signatures within the "ENSRT:W32-KEDEBE-B" family should be used. A threshold parameter of at least three signature detections within a time span of 60 seconds should be used to mitigate the existence of false positives.

NOTE: All signatures in the ENSRT library are disabled by default. These signatures must be enabled after they are imported into a custom library if they are to be successfully deployed.

Prevention

Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/

Containment

The Enterasys Dynamic Intrusion Response (DIR) solution can be utilized to remove infected end-users from the enterprise network by detecting the infection with a Dragon NIDS signature (see "Detection" section of this report), locating the user's connection point using Automated Security Manager's location services module, and either placing the user in a quarantine VLAN or disabling the associated switch port for the user.

Using Enterasys Policy Manager, enforce a policy that allows SMTP traffic from end user PCs to authorized SMTP mail servers and blocks SMTP traffic to unauthorized end users or unknown Internet systems. If the SMTP protocol is not implemented for end users within the enterprise, consider implementing a policy blocking SMTP traffic from end user ports.

Internet or edge facing firewalls should be configured with a default 'Deny' policy and contain 'Permit' policies for only needed services and applications. Furthermore, careful inspection of firewall policies that allow TCP traffic streams to be initiated from the Internet into internal enterprise resources is required. These policies should only allow specific protocols to trusted servers thereby combating the increased use of random TCP ports by Internet Trojans and worms.

Repair

Monitor Dragon Realtime Console for alerts that end-user PCs have become infected with the virus. If utilizing the DIR solution, users can either be expunged from the network or placed in a quarantine VLAN. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.

Scan all clients and servers for newly opened TCP ports that did not appear in previous TCP scans. If viruses are detected apply appropriate removal tools on each client and server that have the open ports (See your anti-virus solution for removal instructions).

References

http://securityresponse.symantec.com/avcenter/venc/data/w32.kedebe.b@mm.html

This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.    

A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.    

Revision History:

Version: 1.0

Date: 05/06/2005

Author: ENSRT STAFF

Change

There is nothing more important than our customers