WORM_KOLAB.INC

This worm attempts to access a certain URL where its copy is hosted. It then copies this file as {random}.exe in removable drives.

It may also receive a command from a remote server to initiate propagation via instant messaging applications. It does this by checking if any of the running processes contains certain strings. It sends a link where the malware is hosted to all the user's contacts.

It also terminates and deletes security-related services by executing commands.

This worm arrives via removable drives. It may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. As of this writing, the said sites are inaccessible.

It terminates itself if it detects it is being run in a virtual environment.

Arrival Details

This worm arrives via removable drives.

It may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %Application Data%\Google\Update\GoogleUpdate.exe
• %User Profile%\Cache\igfxscr86.exe
• %System%\igfxscr86.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It creates the following folders:

• {removable drive}\.trash

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• S3xY!

It is injected into the following processes running in memory:

• explorer.exe

It terminates itself if it finds the following processes in the affected system's memory:

• port
• vbox
• vmsrvc
• vmware
• tcpview
• wireshark.exe
• regshot.exe
• procmon.exe
• filemon.exe
• regmon.exe
• procdump.exe
• cports.exe
• procexp.exe
• squid.exe
• dumpcap.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Intel Service Driver = "{malware path and file name}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Google Update = "{malware path and file name}"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
{malware path and file name} = "DisableNXShowUI"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\MRT
DontReportInfectionInformation = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:Enabled:VLAN"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Minimal

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\Network

Propagation

This worm drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open={malware path and filename}
icon=%windir%\system32\SHELL32.dll,4
action=Open the folder to view files using Explorer
shell\open=Open
shell\open\command={malware path and filename}
shell\open\default=1
shell\explore=Explore
shell\explore\command={malware path and filename}
shell\search=Search...
shell\search\command={malware path and filename}
useautoplay=1

It sends copies of itself to target recipients using the following instant-messaging (IM) applications:

• Skype
• AIM
• ICQ
• Yahoo Messenger
• Google Talk
• MSN Messenger
• Paltalk
• XFire

Backdoor Routine

This worm connects to any of the following IRC server(s):

• {BLOCKED}4.{BLOCKED}awanta.su

It joins any of the following IRC channel(s):

• #t8nted

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• drive32.exe
• msvmiode.exe
• teatimer.exe
• mrt.exe
• mrtstub.exe
• tcpview.exe
• hijackthis.exe
• msmpeng.exe
• msascui.exe
• mpcmdrun.exe
• usbguard.exe
• billy.exe
• nvsvc32.exettqrm.exe
• rvhost.exe
• xplorer.exe

Download Routine

This worm connects to the following malicious URLs:

• http://{BLOCKED}5.1{BLOCKED}7.213.67/net/debug1.txt

As of this writing, the said sites are inaccessible.

Other Details

This worm terminates itself if it detects it is being run in a virtual environment.

NOTES:

It attempts to access the following URL where its copy is hosted:

• http://{BLOCKED}c.ubersexy.su/net/vc1.exe

It then copies this file as {random}.exe in removable drives:

• {removable drive}\.trash\{random}.exe

It may also receive a command from a remote server to initiate propagation via instant messaging applications. It does this by checking if any of the running processes contains the strings below:

• skype
• aim
• icq.exe
• yahoomessenger
• ymsgr_tray.exe
• googletalk
• msnmsgr
• msmsgs
• paltalk.exe
• xfire.exe

It sends a link where the malware is hosted to all the user's contacts.

It does not continue execution if any of the following is true:

• Any of the window names below exists:
  • The Wireshark Network Analyzer
  • Microsoft Network Monitor 3.5
  • SmartSniff
  • CurrPorts
  • TCPViewClass
  • Process Monitor - Sysinternals: www.sysinternals.com
  • Regshot 1.8.2
  • PROCEXPL
• Any of the programs below are installed:
  • WinPCAP
  • WireShark
  • Ethereal
  • Microsoft Network Monitor 3

It terminates and deletes security-related services by executing the commands below:

• CMD /C net stop {service}
• CMD /C sc stop {service}
• CMD /C sc config {service} start= disabled
• CMD /C sc delete {service}

The following services are affected:

• CSIScanner
• K7RTScan
• K7TSMngr
• avast! Antivirus
• AntiVirService
• PASRV
• VSSERV
• avg8wd
• avg9wd
• NOD32krn
• ekrn
• McShield
• OutpostFirewall
• TmPfw
• KPF4
• SmcService
• Symantec Antivirus
• Norton Antivirus Server
• cmdAgent
• vsmon
• SbPF.Launcher
• SPF4
• acssrv
• SAVService
• SAVAdminService
• Sophos AutoUpdate Service
• Sophos Client Firewall
• Sophos Client Firewall Manager