Aliases Email-Worm.Win32.Kebede.g
Type Worm
W32/Kedebe-E is a mass-mailing worm for the Windows platform that spreads by sending emails using its own SMTP engine.
W32/Kedebe-E is a mass-mailing worm for the Windows platform that spreads by sending emails using its own SMTP engine.
W32/Kedebe-E creates the file <original filename>.txt and opens up the Windows Notepad application to display the following text:
'This document cannot be run under old version. <non Roman characters> Please install latest version of Notepad. <non Roman characters> '
W32/Kedebe-E may arrive in the email message with the following characteristics:
The sender's name chosen from:
bill
jack
fred
ted
kevin
david
george
sami
andrew
jose
maria
mary
ray
tom
peter
john
daniel
alex
michael
james
mike
robert
jane
joe
bini
dave
matt
steve
smith
debby
helen
jerry
jimmy
brenda
claudia
sandra
calvin
christoph
julie
linda
adam
brent
alice
anna
Subject title chosen from:
**WARNING** Account Currently Disabled
**WARNING** Your Internet account
*Breaking News* Michael Jackson Died
*IMPORTANT* Microsoft Windows Automatic Update disabled
*IMPORTANT* You Won Diversity Visa Lottery!
[No Subject]
Administrator
Author of Mydoom has been ARRESTED!
FOR GIRLS ONLY!!, Boys
FOR THE LAST TIME!!
Fw: Fw: Osama Bin Laden has been arrested!
Fw: Fw: The 'SECRET' behind John Paul's death
I'm going to somewhere
It seems a good day!!
J Lo with no closes ON!!
John Paul's death and the doctors...
let's chat here...
Make sure u are alone
PaRtY tonight??!
Password
Re: hi
RE: the document
WE NEED TO TALK.
Welcome back
You chat room friend
you_lied
Your Information
Message text chosen from:
'For girls only!!'
'you again!! c ya!'
'no hay sitio para ...!!'
'Are you alone? The have fun 
'
'This is for the last time. Answer me.'
'I'm back with the password. Hit me back'
'i have found a new chat rooms, see you there.'
'Call me when you finish reading the document'
'We were waiting for u! Group pic is available.'
'Hey we need to talk. Read the attachment and hit me back'
'HeEeLLLoOoOoO! Party tonight???!!! Let me KnOw what's up.'
'I'm on vacation, what about you? Check out my girl, N-A-K-E-D!!'
'hey it's me from the chat room, remember? anyway I've sent u my pic. let me know wussup.'
'Attached is a confidential information about the Webs you browsed. The list was logged since 2004.'
'[The mail client could not display the picture due to high resolution on the graphics. Contents has been attached as a hexadecimal text.]'
'[BODY REMOVED]'
'[NEW DOCUMENT ATTACHED]'
'Microsoft has also released a new form that the sender can fill in and take the money. The sender is urged to send his/her post address to Microsoft or SCO using the attached form.'
'Your IP was logged because you accessed porn related sites. Attached is list of sites you visited and information about your Internet account.'
'someone sent me this document which is stolen from a secret government body and deals about John Paul's death. It says he was killed by two 'doctors' who were hired by some government bodies. The text attached contains all the story behind his death and who these doctors are.'
'We have found that Windows Automatic Update is not enabled on your computer and Windows could not update itself. This may have happened because your system is infected with a latest virus. We recommend you to download updates manually and install on your system. We have sent you Microsoft Windows Malicious Software Removal Tool. Scan your system with this software and delete any file detected as virus. Then try to update Windows.
This message was sent automatically from the Microsoft Windows Update Web site.
Microsoft Corporation (c) 2001-2005. All rights reserved.'
'A new Worm is spreading by using Michael Jackson's death. "After the death of the famous pop star, Michael Jackson, during the acciedent yesterday, new computer Worms appeared to use the news as a subject", said Graham Cluley, senior technology consultant at Sophos. This Worm has 10 different subjects which made it spread widely. All the characterstics of the e-mail are attached in text document. "System and server administrators are advised to read/know the characterstics of the Worm," urges Sophos. Sophos would also like to express its grief about the pop star's death.
Sophos Internet Worm Protection Center.
++Attachment: No Virus Found(Clean text document)
++Scanner: Sophos Anti-virus'
'You have won this year's diversity visa lottery. We reommend you to start the process as soon as possible. Read the attached document for more information.
The Visa Lottery Commite.'
'I have attached it 
-Original Message-
From: horst.schaeffer@gmx.net
To: bini@gmx.net
Sent: horst.schaeffer@gmx.net
Subject: the document
> Please send me that document, thanx
>
>
>'
'Microsoft is proud to announce the latest version of Windows-Long Horn. What make this version special is that it is the only Microsoft's product with component's source code available to 3rd party. Full documentation is attached document. We have also included Windows Media Player 10's source code.
Microsoft Corporation (c) 1993 - 2006'
'Microsoft has just annouced the arrest of the author of the Internet Worm "MyDoom". Microsoft says, "Someone sent us an e-mail that has a document about the location where the author live. Even though the information true and led us to the arrest of the author, the sender didn't mention about himself so that we are unable to give him the $500,000 reward. And the author of MyDoom has be found to be a former Microsoft's employee fired becuase of his discipline." Now Microsoft and SCO are confused to whom to give the reward. Microsoft has also released a new form that the sender can fill in and take the money. The sender is urged to send his/her post address to Microsoft or SCO using the attached form.
This message was sent because of your registration at:
To unregister, just go to http://www.bbc.co.uk/'
'Big day huh! What a great surprise! I've just read on Arab site that Osama bin Laden has been arested by the US soldiers. It's lot to talk here. I just copied the whole text in Notepad and attached it. Nice news huh?!'
'You will not be able to log on to your account anymore. See the attac '
'I don't know how to say it, but it is really annoying thing that happened on John Paul the 2nd. He was killed by two 'doctors' who were hired by some security firms. The text attached contains all the story behind his death. Please, try to forward this document to all your relatives and reveal the truth.'
Attachment filenames are compressed Microsoft Cabinet (with the file extension .cab) files with filenames chosen from:
Bin_Laden_Arrested.txt
Info.txt
boys.txt
chat_server
Microsoft_form.doc
message.doc
my_pics.jpeg
JohnPaul_Death.Doc
body.txt
True_Ezin.doc
Hex_Pic.doc
JohnPaul.txt
with_this_girl.jpg
Account.doc
password.doc
you_lied.txt
where_the_party_is.doc
characters.txt
messaggio.doc
document.doc
Removal_tool
your_document.doc
ditail.txt
photo.jpg
files.txt
attached_document.doc
contents.txt
Important.doc
microsoft.doc
Bin_Laden_Arrested
you_lied
party_location.txt
worm_characters.txt
Microsoft_form
read_carefully
Hex_Picture.txt
my_pictur.jpeg
chat_server.txt
my_girl.jpg
Sex stories.txt
http://www.sophos.com/virusinfo/analyses/w32kedebee.html
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic