Overview
Characteristics
When run, W32/Kespo drops the following files:
- c:\documents and settings\%USER%\local settings\temp\(Same prefix as original trojan file).xls (~12KB)
- %SYSTEMDIR%\kspoold.exe ( 285184 bytes )
- %SYSTEMDIR%\avmeter32.dll ( 60416 bytes )
- %WINDIR%\temp\uninstallc.tmp ( 682 bytes )
- %WINDIR%\temp\kspoold.txt
- c:\documents and settings\%USER%\application data\microsoft\office\recent\temp.lnk ( 689 bytes )
- c:\documents and settings\%USER%\application data\microsoft\office\recent\fdf82661.xls.lnk ( 804 bytes )
- c:\documents and settings\%USER%\local settings\temp\aegis.txt
- c:\documents and settings\%USER%\local settings\temp\uninstall log.dat
The non-executable files are data files or link files. The data files track what the virus has done, and can have content like the following:
3/30/2006 1:03:40 PM - Guardian process started
3/30/2006 1:05:12 PM - Virus service terminated, try to restore it
3/30/2006 1:05:12 PM - Restoring virus service file
3/30/2006 1:05:12 PM - Virus service file restored
3/30/2006 1:05:13 PM - Restarting virus service
or
3/30/2006 1:03:34 PM - K Print Spooler Service starting...
3/30/2006 1:03:35 PM - Scanner for drive C has been created and started
3/30/2006 1:03:35 PM - Scanner for drive D has been created and started
3/30/2006 1:03:35 PM - Mencari di folder D:\
3/30/2006 1:03:36 PM - Scanner for drive E has been created and started
3/30/2006 1:03:36 PM - Scanner for drive F has been created and started
3/30/2006 1:03:36 PM - Scanner for drive G has been created and started
3/30/2006 1:03:36 PM - K Print Spooler Service started
3/30/2006 1:03:38 PM - Mencari di folder D:\System Volume Information
3/30/2006 1:03:39 PM - Guardian process not exists, try create it
3/30/2006 1:03:39 PM - Explorer found (HWND: 65646) injecting it
3/30/2006 1:03:39 PM - Mencari di folder D:\
3/30/2006 1:03:40 PM - Guardian process created
The DLL and EXE files are pure viral code, and the XLS file is a blank, macroless Excel file. The DLL file is injected into the memory space of Explorer.exe.
The following registry keys are also created, to run kspoold.exe as a service:
- hkey_local_machine\system\currentcontrolset\services\kspooldaemon
- hkey_local_machine\system\currentcontrolset\services\kspooldaemon\displayname="K Print Spooler"
Symptoms
- Presence of the files and registry entries referenced previously
- Unexplained increase in size of executable files
Method of Infection
The virus replicates by infecting executable files on local and shared/remote drives.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
- Insert the Windows XP CD into the CD-ROM drive and restart the computer.
- When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
- Select the Windows installation that is compromised and provide the administrator password.
- Issue 'fixmbr' command to restore the Master Boot Record
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
On Windows Vista and 7:
- Insert the Windows CD into the CD-ROM drive and restart the computer.
- Click on "Repair Your Computer".
- When the System Recovery Options dialog comes up, choose the Command Prompt.
- Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
- Follow onscreen instructions.
- Reset and remove the CD from CD-ROM drive.
Variants