Enterasys - Secure Networks

There is nothing more important than our customers.
Skip to content

ENSRT Incident Note ETS-i-2005-12584

The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.

Worm - W32.Kedebe.D@mm

Release Date: 06/30/2005
Last Updated:

Print this alert

Overview

The W32.Kedebe.D@mm worm propagates by sending copies of itself via an e-mail with an embedded SMTP engine. Furthermore, system security is threatened by the deletion of security related files and the prevention of Internet access to security sites.

Details below describe the characteristics of the W32.Kedebe.D@mm worm as well as provide detection, containment, and prevention techniques available through Enterasys Secure Networks solutions.

Systems affected

Windows operating systems

Systems not affected

Linux and MAC/OSX

Description

The W32.Kedebe.D@mm worm arrives via an e-mail with attachment in the user's mailbox using one of the following Subject lines:

- let's chat here...
- I'm going to somewhere
- Re: hi
- *IMPORTANT* You Won Diversity Visa Lottery!
- [No Subject]
- *IMPORTANT* Microsoft Windows Automatic Update disabled
- Fw: Fw: Osama Bin Laden has been arrested!
- you_lied
- Your Information
- **WARNING** Your Internet account
- Password
- WE NEED TO TALK.
- PaRtY tonight??!
- *Breaking News* Michael Jackson Died
- Fw: Fw: The 'SECRET' behind John Paul's death
- John Paul's death and the doctors...
- Author of Mydoom has been ARRESTED!
- FOR GIRLS ONLY!!, Boys
- Make sure u are alone
- J Lo with no closes ON!!
- It seems a good day!!
- FOR THE LAST TIME!!
- You chat room friend
- RE: the document
- Administrator
- **WARNING** Account Currently Disabled
- Welcome back

Worm W32.Kedebe.D@mm also contains one of the following e-mail bodies:

"You IP was logged because you accessed porn related sites. Attached is list of sites you visited and information about your Internet account."

"I'm back with the password. Hit me back"

"Attached is a confidential information about the Webs you browsed."

"Please, try to forward this document to all your relatives and reveal the truth."

"someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are."

"Hey we need to talk. Read the attachment and hit me back"

"This is for the last time. Answer me."

"Big day huh! What a great surprise! I just read on Arab site that Osama bin laden has been arested by US solders. It's lot to talk here. I just copied the whole text in Notepad and attached it. Nice news huh?!"

"I don't know how to say it, but it is really annoying thing that happened on John Paul the 2nd. He was killed by two 'doctors' who were hired by some security firms. The text attached contains all the story behind his death.someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are."

"hey it's me from the chat room, remember? anyway I've sent u my pic. let me know wussup."

"i have found a new chat rooms, see you there."

"I'm on vacation, what about you? Check out my girl, N-A-K-E-D!!"

"HeEeLLLoOoOoO! Party tonight???!!! Let me KnOw what's up."

"Damn! I Heard that Michael Jackson died this morning. The news says there was an acciedent. I have attached the whole story."

"no hay sitio para ...!!"

"Hey, this is to tell you that the author of the Internet Worm 'MyDoom' has been arrested by Microsoft today. He is an OLD MAN, about 50s."

"For girls only!! Are you alone?"

"We were waiting for u! Group pic available"

"The mail client cannot display the picture due to high resolution on the graphics. Contents has been attached as a hexadecimal text."

"you again!! c ya!"

"Your mail account will be disabled. See the atta/"

"You have won the this year's diversity visa lottery. We reommend you to start the process as soon as possible. Read the attached document for more information."

"The Visa Lottery Commite."

"This message was automatically sent from the Microsoft Windows Update Web site.
Microsoft Corporation (c) 2001-2005. All rights reserved."

"\xeb\x02\xeb\x0f\x66\x81\xec\x04\x08\x8b\xec\x83\xec\x50\xe8\xef\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66\xb9\xba\x01\x80\x33\x95\x43\xe2\xfa\x7e\xfa\xa6\x4e\x26\xa5\xf1\x1e\x96\x1e\xd5\x99\x1e
We have found that Windows Automatic Update is not enabled on your computer and Windows could not update itself. This may have happened because your system is infected with a latest virus. We recommend you to download updates manually and install on your system. We have sent you Microsoft Windows Malicious Software Removal Tool. Scan your system with this software and delete any file detected as virus. Then try to update Windows. "

"I have attached it
-----Original Message-----
From:
To:
Sent: [Removed]
Subject: the document
Please send me that document"

If the e-mail attachment is executed, the user's PC becomes infected. The worm copies itself to the Windows system directory, updates the registry to ensure worm starts on system reboot, gathers e-mail addresses from system files, attempts to further proliferate the worm with an embedded SMTP client, terminates and deletes security related processes, and alters the Windows "hosts" file to block security related network traffic.

Threat Assessment

Mass-mailing worms if not addressed through prudent remediation steps may congest mail servers and/or degrade network performance. Mass-mailing worms may impact individual system performance and compromise security settings allowing unauthorized remote access to the compromised host.

Remediation

Matrix N7
 X
Matrix E7
 X
Matrix E6
 X
Matrix E5
 X
Matrix E1
 X
VH
 X
C-Series
X

Detection

Specific Dragon signatures that detect the W32.Kedebe.D@mm worm can be retrieved via Dragon Live Update and are located in the Master Library within the ENSRT category. The signatures with the prefix "ENSRT:W32-KEDEBE-D" can be copied into a custom library and deployed on a Dragon network sensor that is protecting the enterprise SMTP server to successfully detect end-user class machines which have become infected with the worm.

If utilizing Dynamic Intrusion Response (DIR), a Dragon Alarmtool policy that consists of an event group that contains all of the signatures within the "ENSRT:W32-KEDEBE-D" family should be used. A threshold parameter of at least three signature detections within a time span of 60 seconds should be used to mitigate the existence of false positives.

NOTE: All signatures in the ENSRT library are disabled by default. These signatures must be enabled after they are imported into a custom library if they are to be successfully deployed.

Prevention

Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/

Containment

The Enterasys Dynamic Intrusion Response (DIR) solution can be utilized to remove infected end-users from the enterprise network by detecting the infection with a Dragon NIDS signature (see "Detection" section of this report), locating the user's connection point using Automated Security Manager's location services module, and either placing the user in a quarantine VLAN or disabling the associated switch port for the user.

Using Enterasys Policy Manager, enforce a policy that allows SMTP traffic from end user PCs to authorized SMTP mail servers and blocks SMTP traffic to unauthorized end users or unknown Internet systems. If the SMTP protocol is not implemented for end users within the enterprise, consider implementing a policy blocking SMTP traffic from end user ports.

Repair

Monitor Dragon Realtime Console for alerts that end-user PCs have become infected with the virus. If utilizing the DIR solution, users can either be expunged from the network or placed in a quarantine VLAN. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.

References

http://securityresponse.symantec.com/avcenter/venc/data/w32.kedebe.d@mm.html

This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.    

A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.    

Revision History:

Version: 1.0

Date: 06/30/2005

Author: ENSRT STAFF

Change

There is nothing more important than our customers