The Kedebe worm is a security software horror

The second variant of the Kedebe worm makes websites from infected computers inaccessible.
Virus news a Security portal with the support of.

A worm called Kedebe.B, which spreads primarily through email, stops processes associated with antivirus software and various security applications. This significantly weakens the protection of computers. The worm also modifies the host file to prevent security software development companies from displaying websites.

When the Kedebe.B worm starts, it performs the following actions:

1. Create the following files:
% System% \ winssc32.exe
% System% \ mscppmgr.exe
% System% \ kerne132.exe
% System% \ NAVMON.EXE
% System% \ drwmgr32.exe
% System% \ DLLH0ST.EXE
% System% \ gcasctrl.exe
% System% \ msscan.exe
% System% \ cuApp.exe
% System% \ LSSAS.EXE
% System% \ AVmon.exe
% System% \ SERVlCES.EXE
% System% \ gcasSav32.exe
% System% \ LUC0MS ~ 1.EXE
% System% \ zlbclient.exe
% System% \ mantispam.exe
% System% \ NETM0N.EXE
% System% \ srvchost.exe
% System% \ USRMGRINIT.JFX

2. Create a harmless text file named USRMGRINIT.JFX in the Windows System directory.

3. With the following names, you copy yourself into the directories whose names contain one of the words "shar" or "users".
Admin Password Cracker.exe
DVD ripper keygen.exe
Messenger 7.0 Installer.exe
Microsoft AntiSpyware Patch.com
Mydoom removal tool.exe
Naked teen-Actions.com
Norton Personal Firewall 2005 Patch.exe
Spyware remover.exe
Win Server 2003 Remote Exploit.cmd
ZoneAlarm Security Suite 2005 Crack.com

4. The registration database
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
adds to your key
“Windows [worm name] Monitor” = “[worm file name]”.

5. The registration database
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows
adds to your key
“Run” = “[name of worm file]”.

6. Gather the email addresses from files with different extensions to which you forward yourself.

The subject of infected leaves may be:
Invalid MIME version indicated.
Failure delivery
Mail Delivery Subsystem
Symantec Security Response. Urgent!
Mail server changing information

The name of the file attached to the infected mail is removed from the following list:
Base64_Encoded_Message
Error
Patch
Temporary_Account_Info

7. Open a backdoor on a randomly selected TCP port. This allows attackers to perform the following actions:
- keystroke logging
- change mouse settings
- turn off the clipboard
- disable input devices.

8. Stops processes related to antivirus software and various security applications.

9. Modify the hosts file. This makes web pages inaccessible from the infected computer.

10. Creates a mutex to run only one instance on the system at a time.

11. Delete the following files (if any):
Microsoft AntiSpyware \ GIANTAntiSpywareMain.exe
Microsoft AntiSpyware \ GIANTAntiSpywareUpdater.exe
Norton AntiVirus \ OPSCAN.EXE
srchasst \ mui \ 0409 \ baloon.xsl
srchasst \ mui \ 0409 \ bar.xsl
srchasst \ mui \ 0409 \ lcladvdf.xml
Zone Labs \ ZoneAlarm \ MailFrontierZone Labs \ ZoneAlarm \ MailFrontier \ mantispm.exe

12. Displays the following message box: