WORM_KOLAB.DL

This worm arrives via removable drives. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself into network drives. It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system. It takes advantage of software vulnerabilities to propagate across networks.

It deletes itself after execution.

Arrival Details

This worm arrives via removable drives.

It may arrive via network shares.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\drivers\lsass.exe
• %Windows%\system\scrss.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

It creates the following folders:

• {Drive letter}:\RECYCLER\{random SID}

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\rgasmcss
ImagePath = %Windows%\system\scrss.exe

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Policies\
Explorer\Run
Microsoft Driver Setup = %System%\drivers\lsass.exe

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\
Windows\CURRENTVERSION\Run
Microsoft Driver Setup = %System%\drivers\lsass.exe

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = 0

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = 4

(Note: The default value data of the said registry entry is 2.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = 4

(Note: The default value data of the said registry entry is 2.)

Propagation

This worm drops copies of itself into network drives.

It drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
;{garbage}
open=RECYCLER\{random SID}\lsass.exe
;{garbage}
icon=%windir%\system32\SHELL32.dll,4
;{garbage}
action=Open folder to view files
;{garbage}
shell\open=Open
;{garbage}
shell\open\command=RECYCLER\{random SID}\lsass.exe
;{garbage}
shell\open\default=1

or

[autorun]
open=RECYCLER\{random SID}\autorunme.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\{random SID}\autorunme.exe
shell\open\default=1

It takes advantage of the following software vulnerabilities to propagate across networks:

• (MS08-067) Vulnerability in Server Service Could Allow Remote Code Execution (958644)

Backdoor Routine

This worm connects to any of the following IRC server(s):

• www.msnarea.com
• www.justfacebook.net

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• FSM32.EXE
• FSMA32.EXE
• FSMB32.EXE
• GDFIRE~1.EXE
• GDFIREWALLTRAY.EXE
• GDFWSVC.EXE
• GMER.EXE
• GUARD.EXE
• GUARDXKICKOFF.EXE
• GUARDXSERVICE.EXE
• HACKMON.EXE
• HELIOS.EXE
• HFACSVC.EXE
• HIJACK-THIS.EXE
• HIJACKTHIS.EXE
• HIJACKTHIS_SFX.EXE
• HIJACKTHIS_V2.EXE
• HJ.EXE
• HJTINSTALL.EXE
• HJTSETUP.EXE
• HOOKANLZ.EXE
• HOSTSFILEREADER.EXE
• HPCSVC.EXE
• HSVCMOD.EXE
• ICESWORD.EXE
• IEFIX.EXE
• INICIO.EXE
• INSTALLWATCHPRO25.EXE
• ISSDM_EN_32.EXE
• ITMRTSVC.EXE
• JAJA.EXE
• K7EMLPXY.EXE
• K7FWSRVC.EXE
• K7PSSRVC.EXE
• K7RTSCAN.EXE
• K7SPMSRC.EXE
• K7SYSTRY.EXE
• K7TS_SETUP.EXE
• K7TSECURITY.EXE
• K7TSMNGR.EXE
• KAKASETUPV6.EXE
• KASMAIN.EXE
• KAV.EXE
• KAV32.EXE
• KAVPFW.EXE
• KAVSTART.EXE
• KAVSVC.EXE
• KILLAUTOPLUS.EXE
• KILLBOX.EXE
• KISSVC.EXE
• KPFW32.EXE
• KPFWSVC.EXE
• KVMONXP.KXP
• KVOL.EXE
• KVSRVXP.EXE
• KVXP.KXP
• KWATCH.EXE
• LISTO.EXE
• LIVESRV.EXE
• LORDPE.EXE
• MAKEREPORT.EXE
• MBAM-SETUP.EXE
• MBAM.EXE
• MCAGENT.EXE
• MCSHIELD.EXE
• MCUPDATE.EXE
• MCVSRTE.EXE
• MCVSSHLD.EXE
• MDMCLS32.EXE
• MKS_MAIL.EXE
• MKS_SCAN.EXE
• MKSADMINCONSOLE.EXE
• MKSFWALL.EXE
• MKSPC.EXE
• MKSREGMON.EXE
• MKSTRAY.EXE
• MKSUPDATE.EXE
• MKSVIRMONSVC.EXE
• MMC.EXE
• MRT.EXE
• MRTSTUB.EXE
• MSASCUI.EXE
• MSMPENG.EXE
• MSNCLEANER.EXE
• MSNFIX.EXE
• MYPHOTOKILLER.EXE
• NAVQSCAN.EXE
• NETALYZ.EXE
• NETMONSV.EXE
• NETSTAT.EXE
• NMAIN.EXE
• NOD32.EXE
• NOD32CC.EXE
• NOD32KRN.EXE
• NOD32KUI.EXE
• NOD32M2.EXE
• NPCGREENAGENT.NPC
• NSAVSVC.NPC
• NSPMAIN.EXE
• NSPSVC.EXE
• NSPUPDT.EXE
• NSPUPSVC.EXE
• NSUTILITY.EXE
• NSVMON.NPC
• NTVDM.EXE
• OBJMONSETUP.EXE
• OLLYDBG.EXE
• ONLINENT.EXE
• ONLNSVC.EXE
• OP_MON.EXE
• OTMOVEIT.EXEMBAM-SETUP.EXE
• P08PROMO.EXE
• PAVARK.EXE
• PAVBCKPT.EXE
• PAVFNSVR.EXE
• PAVPRSRV.EXE
• PAVSRV51.EXESRVLOAD.EXE
• PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE
• PCTSAUXS.EXE
• PCTSGUI.EXE
• PCTSSVC.EXE
• PCTSTRAY.EXE
• PENCLEAN.EXE
• PG2.EXE
• PGSETUP.EXE
• PORTDETECTIVE.EXE
• PORTMONITOR.EXE
• PPCLTPRIV.EXE
• PROCDUMP.EXE
• PROCESSMONITOR.EXE
• PROCEXP.EXE
• PROCMON.EXE
• PROJECTWHOISINSTALLER.EXE
• PSCTRLS.EXE
• PSHOST.EXE
• PSIMSVC.EXE
• PSKILL.EXE
• PSKMSSVC.EXE
• PUSCAN.EXE
• QHFW332.EXE
• QOELOADER.EXE
• QUHLPSVC.EXE
• RAVLITE.EXE
• RAVMOND.EXE
• RAVP.EXEMBAM.EXE123.COM
• RAVTASK.EXE
• REANIMATOR.EXE
• REG.EXE
• REGALYZ.EXE
• REGCOOL.EXE
• REGEDIT.COM
• REGEDIT.EXE
• REGEDIT.SCR
• REGISTRAR_LITE.EXE
• REGMON.EXE
• REGSCANNER.EXE
• REGSHOT.EXE
• REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE
• REGX2.EXE
• RKD.EXE
• ROOTALYZER.EXE
• ROOTKIT_DETECTIVE.EXE
• ROOTKITBUSTER.EXE
• ROOTKITNO.EXE
• ROOTKITREVEALER.EXE
• RTVSCAN.EXE
• SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE
• SAVADMINSERVICE.EXE
• SAVSERVICE.EXE
• SBAMSVC.EXE
• SBAMTRAY.EXE
• SBAMUI.EXE
• SCANMSG.EXE
• SCANWSCS.EXE
• SCFMANAGER.EXE
• SCFSERVICE.EXE
• SCHED.EXE
• SDFIX.EXE
• SEEM.EXE
• SENSOR.EXE
• SFCTLCOM.EXE
• SPF.EXE
• SPIDERML.EXE
• SPIDERNT.EXE
• SPIDERUI.EXE
• SPYBOTSD.EXE
• SPYBOTSD160.EXE
• SRENGLDR.EXE
• SRENGPS.EXE
• SRESTORE.EXE
• STARTDRECK.EXE
• STRTSVC.EXE
• SUPERANTISPYWARE.EXE
• SUPERKILLER.EXE
• SVCPRS32.EXE
• SYSANALYZER_SETUP.EXE
• TASKKILL.EXE
• TASKLIST.EXE
• TASKMAN.EXE
• TASKMON.EXE
• TASKSCHEDULER.EXE
• TCPVIEW.EXE
• TEATIMER.EXE
• TISSPWIZ.EXE
• TMBMSRV.EXE
• TMPFW.EXE
• TMPROXY.EXE
• TNBUTIL.EXE
• TPSRV.EXE
• TrendMicro_TISPro_16.1_1063_x32.EXE
• TSCFCOMMANDER.EXE
• UFNAVI.EXE
• UFSEAGNT.EXE
• 123.EXE
• 360HOTFIX.EXE
• 360RPT.EXE
• 360SAFE.EXE
• 360TRAY.EXE
• A2GUARD.EXE
• A2HIJACKFREE.EXE
• A2HIJACKFREESETUP.EXE
• A2SCAN.EXE
• A2SERVICE.EXE
• A2START.EXE
• ABREGMON.EXE.EXE
• ACAAS.EXE
• ACAEGMGR.EXE
• ACAIS.EXE
• ACALS.EXE
• ACS.EXE
• AFMAIN.EXE
• AHNSDSV.EXE
• ALERTMAN.EXE
• ALMON.EXE
• ALSVC.EXE
• APM.EXE
• APORTS.EXE
• APT.EXE
• APVXDWIN.EXE
• ARCABIT.CORE.CONFIGURATOR2.EXE
• ARCABIT.CORE.LOGGINGSERVICE.EXE
• ARCACHECK.EXE
• ARCAVIR.EXE
• ASHDISP.EXE
• ASHMAISV.EXE
• ASHSERV.EXE
• ASHWEBSV.EXE
• ASVIEWER.EXE
• ASWCLNR.EXE
• ASWUPDSV.EXE
• ATF-CLEANER.EXE
• AUTORUNS.EXE
• AVCENTER.EXE
• AVENGER.EXE
• AVENGINE.EXE
• AVGAMSVR.EXE
• AVGARKT.EXE
• AVGAS.EXE
• AVGEMC.EXE
• AVGNT.EXE
• AVGSCANX.EXE
• AVGUARD.EXE
• AVGUI.EXE
• AVGUPD.EXE
• AVGUPSVC.EXE
• AVGWDSVC.EXE
• AVINSTALL.EXE
• AVIRARKD.EXE
• AVKPROXY.EXE
• AVKSERVICE.EXE
• AVKTRAY.EXE
• AVKTUNERSERVICE.EXE
• AVKWCTL.EXE
• AVMENU.EXE
• AVZ.EXE
• AYAGENT.AYE
• AYSERVICENT.AYE
• BC5CA6A.EXE
• BDAGENT.EXE
• BDSS.EXE
• BOOTSAFE.EXE
• BOXMOD.EXE
• BUSCAREG.EXE
• CAFW.EXE
• CAGLOBALLIGHT.EXE
• CAPFASEM.EXE
• CAPFUPGRADE.EXE
• CATCHME.EXE
• CATEYE.EXE
• CAVASM.EXE
• CCENTER.EXE
• CCLEANER.EXE
• CCPROVSP.EXE
• CCSETUP210.EXE
• CCTRAY.EXE
• CF9409.EXE
• CFGMNG32.EXE
• CLAMTRAY.EXE
• CLAMWIN.EXE
• CMAIN.EXE
• CMDAGENT.EXE
• COMBOFIX.BAT
• COMBOFIX.COM
• COMBOFIX.EXE
• COMBOFIX.SCR
• COMMAND.COM
• COMPAQ_PROPIETARIO.EXE
• CPF.EXE
• CPORTS.EXE
• CPROCESS.EXE
• CUREIT.EXE
• DARKSPY105.EXE
• DEFWATCH.EXE
• DELAYDELFILE.EXE
• DLLCOMPARE.EXE
• DRWEB32W.EXE
• DRWEBSCD.EXE
• DUBATOOL_AV_KILLER.EXE
• ELISTA.EXE
• EMLPROUI.EXE
• EMLPROXY.EXE
• UISCAN.EXE
• ULIBCFG.EXE
• UMXAGENT.EXE
• UMXCFG.EXE
• UMXFWHLP.EXE
• UMXPOL.EXE
• UNHACKME.EXE
• UNIEXTRACT.EXE
• UNLOCKER1.8.7.EXE
• UPDATE.EXE
• UPSCHD.EXE
• VBA32-PERSONAL-LATEST-ENGLISH.EXE
• VBA32ADS.EXE
• VBA32LDR.EXE
• VIPRE.EXE
• VIRUS.EXE
• VIRUSUTILITIES.EXE
• VRFWSVC.EXE
• VRMONNT.EXE
• VRMONSVC.EXE
• VSMON.EXE
• VSSERV.EXE
• WEBPROXY.EXE
• WINDOWS-KB890930-V2.2.EXE
• WIRESHARK.EXE
• WITSETUP.EXE
• XCOMMSVR.EXE
• ZLCLIENT.EXE
• EULALYZERSETUP.EXE
• F-PROT.EXE
• F-PROT95.EXE
• F-STOPW.EXE
• FAMEH32.EXE
• FAST.EXE
• FCH32.EXE
• FIH32.EXE
• FILEALYZ.EXE
• FILEFIND.EXE
• FILELOCKSETUP.EXE
• FILEMONSV.EXE
• FIXBAGLE.EXE
• FIXPATH.EXE
• FNRB32.EXE
• FOLDERCURE.EXE
• FP-WIN.EXE
• FPAVSERVER.EXE
• FPORT.EXE
• FPROT.EXE
• FPROTTRAY.EXE
• FPWIN.EXE
• FSAA.EXE
• FSAUA.EXE
• FSAV.EXE
• FSAV32.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• FSB.EXE
• FSBL.EXE
• FSDFWD.EXE
• FSGK32.EXE
• FSGK32ST.EXE

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

• http://www.sevy.{BLOCKED}.org/azenv.php
• http://www.{BLOCKED}ecurity.com/azenv.php
• http://www.{BLOCKED}heaven.com/azenv.php
• http://www.{BLOCKED}.net/deny2/azenv.php
• http://www.{BLOCKED}sy.com/azenv.php
• http://www.{BLOCKED}ion.com/images/azenv.php
• http://{BLOCKED}oorld.ovh.org/azenv.php
• http://{BLOCKED}orld.ifrance.com/azenv.php
• http://{BLOCKED}n.ath.cx/anon.php

It does the following:

• Uses the following file name extension(s) for copies it drops in network shares:
  • .scr
• Uses the IP address of the affected system when a command is received from the IRC server to scan for ports.
• Joins specific channels with the format #xx{number} using nicks and users generated from system information such as OS, service pack, country and affected system's name.
• Listens for commands from a remote malicious user upon successful connection:
  • Downloads an updated copy of itself
  • Downloads and executes files
  • Flush DNS
  • Lists, starts, and terminates processes
  • Propagate via MSN Messenger
  • Scan ports
  • Turns off Windows Firewall
  It executes these commands locally on an affected system, providing the remote user virtual control over the system.
• Attempts to access the following URL to send and receive information:
  
  • {BLOCKED}.{BLOCKED}.161.149:8280

It deletes itself after execution.