W32/Kidala.B!worm.im

Alias/esNet-Worm.Win32.Kidala.b (KAV), W32.Mytob.PK@mm (Symantec), W32/Kidala.A (F-Prot), W32/Kidala.a@MM virus (McAfee), WORM_MYTOB.PU (Trend)
Release DateApr 22, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
Description

Visible Symptoms

  • The file win24.exe exists in the System folder.

Detailed Analysis

  • Copies itself to the System folder as win24.exe.


    Registry Modification

  • Adds the value
    win24 = "%SYSTEM%\win24.exe", where %SYSTEM% refers to the System folder
    to the registry subkey
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • Adds the following registry subkey:
    HKEY_CURRENT_USER\Software\Obsidium\{148C1ECF-F60545E5-EB0CA10A-B38A5D8D}

    Email Propagation

  • Searches for email addresses in the infected computer, then sends itself as an attachment to the addresses it finds, except those that have certain strings, such as:

    • abuse
    • accoun
    • certific
    • listserv
    • ntivi
    • support
    • icrosoft
    • admin

  • The email has the following format:

       From: [Name]@[Domain]
    [Name] can be any of various common names, such as:

    • sandra
    • linda
    • julie
    • jimmy
    • jerry
    • helen
    [Domain] can be any of the following:

    • microsoft.com
    • msn.com
    • ayna.com
    • maktoob.com
    • usa.net
    • usa.com
    • yahoo.com
    • hotmail.com
       Subject: [blank]

       Message body: any of the following:

    • The message contains Unicode characters and has been sent as a binary attachment.
    • Mail transaction failed. Partial message is available.
    • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.

       Attachment name: filename varies but has ZIP as the extension name


    Peer-to-peer Propagation

  • Uses several peer-to-peer (P2P) applications to spread by copying itself to each application's specific shared folders. The filenames used vary with each P2P application.

       WarezP2P:
    • nice_big_asshole_fuck_Jennifer_Lopez.scr
    • Madonna_the_most_sexiest_girl_in_the_world.com
    • Britney_Spears_sucks_someones_dick.scr
    • Mariah_Carey_showering_in_bathroom.com

       LimeWire:
    • Alcohol_120%%_patch
    • Outlook_hotmail+_fix
    • LimeWire_speed++
    • DarkAngel_Lady_get_fucked_so_hardly

       eDonkey2000:
    • Angilina_Jolie_Sucks_a_Dick
    • JenniferLopez_Film_Sexy_Enough
    • BritneySpears_SoSexy
    • DAP7.4.x.x_crack
    • NortonAV2006_Crack

       iMesh:
    • YahooMessenger_Loader
    • MSN7.0UniversalPatch
    • MSN7.0Loader
    • KAV2006_Crack
    • ZoneAlarmPro6.xx_Crack

       Morpheus
    • TaskCatcher
    • Opera8
    • notepad++
    • lcc-win32_update
    • RealPlayerv10.xx_crack

       KaZaA:
    • nuke2006
    • office_crack
    • rootkitXP
    • dcom_patch
    • strip-girl-3.0
    • activation_crack
    • icq2006-final
    • winamp6


    Network Propagation

  • Attempts to drop itself to network shares. To gain access to password-protected shares, it tries several user names and passwords, such as the following:

    • NetWork
    • Oracle
    • Database
    • Default
    • Guest
    • Wwwadmin
    • Teacher
    • Student
    • Computer
    • Staff


    Backdoor/Trojan Behavior

  • Attempts to kill certain security-related processes, such as:

    • AVPCC.EXE
    • AVKSERV.EXE
    • ECENGINE.EXE
    • FP-WIN.EXE
    • VETTRAY.EXE
    • ACKWIN32.EXE
    • AVNT.EXE
    • ESAFE.EXE
    • FPROT.EXE
    • F-PROT95.EXE
    • IOMON98.EXE
    • AVWIN95.EXE
    • AVE32.EXE
    • ANTI-TROJAN.EXE
    • _AVPCC.EXE

  • Connects to an Internet Relay Chat (IRC) server, joins a channel, then waits for malicious commands from a remote user.
Description Last Updated Date: Apr 28, 2006
Reference: ID - 180829