WORM_KOLAB.SML

This worm sends copies of itself to target recipients using the instant-messaging (IM) application, MSN Messenger.

It executes commands from a remote user to connect to malicious sites to download files or updates of itself, create processes, kill processes or threads, and scan ports.

It retrieves information on the operating system version, service pack installed, IP address and local information of the infected machine.

It does not have information-stealing capabilities. It does not have rootkit capabilities.

It connects to Internet Relay Check (IRC) servers. It executes commands from a remote malicious user, effectively compromising the affected system.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system. As of this writing, the said sites are inaccessible.

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It modifies registry entries to disable the Windows Firewall settings. This action allows this malware to perform its routines without being deteted by the Windows Firewall.

It takes advantage of software vulnerabilities to propagate across networks.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %Windows%\ggdrive32.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• jng28gdrrg2fcs

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
Microsoft Driver Setup = "%Windows%\ggdrive32.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Microsoft Driver Setup = "%Windows%\ggdrive32.exe"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
{malware path and file name} = "{malware path and file name}:*:%Windows%\ggdrive32.exe"

It modifies the following registry entries to disable the Windows Firewall settings:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile
EnableFirewall = "0"

(Note: The default value data of the said registry entry is 1.)

Propagation

This worm takes advantage of the following software vulnerabilities to propagate across networks:

• Microsoft Security Bulletin MS06-040

It sends copies of itself to target recipients using the following instant-messaging (IM) applications:

• MSN Messenger

It sends the following messages using the aforementioned Instant Messaging applications:

Go fuck yourself

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• 123.COM
• 123.EXE
• 360HOTFIX.EXE
• 360RPT.EXE
• 360SAFE.EXE
• 360TRAY.EXE
• A2GUARD.EXE
• A2HIJACKFREE.EXE
• A2HIJACKFREESETUP.EXE
• A2SCAN.EXE
• A2SERVICE.EXE
• A2START.EXE
• ABREGMON.EXE.EXE
• ACAAS.EXE
• ACAEGMGR.EXE
• ACAIS.EXE
• ACALS.EXE
• ACS.EXE
• AFMAIN.EXE
• AHNSDSV.EXE
• ALERTMAN.EXE
• ALMON.EXE
• ALSVC.EXE
• APM.EXE
• APORTS.EXE
• APT.EXE
• APVXDWIN.EXE
• ARCABIT.CORE.CONFIGURATOR2.EXE
• ARCABIT.CORE.LOGGINGSERVICE.EXE
• ARCACHECK.EXE
• ARCAVIR.EXE
• ASHDISP.EXE
• ASHMAISV.EXE
• ASHSERV.EXE
• ASHWEBSV.EXE
• ASVIEWER.EXE
• ASWCLNR.EXE
• ASWUPDSV.EXE
• ATF-CLEANER.EXE
• AUTORUNS.EXE
• AVCENTER.EXE
• AVENGER.EXE
• AVENGINE.EXE
• AVGAMSVR.EXE
• AVGARKT.EXE
• AVGAS.EXE
• AVGEMC.EXE
• AVGNT.EXE
• AVGSCANX.EXE
• AVGUARD.EXE
• AVGUI.EXE
• AVGUPD.EXE
• AVGUPSVC.EXE
• AVGWDSVC.EXE
• AVINSTALL.EXE
• AVIRARKD.EXE
• AVKPROXY.EXE
• AVKSERVICE.EXE
• AVKTRAY.EXE
• AVKTUNERSERVICE.EXE
• AVKWCTL.EXE
• AVMENU.EXE
• AVZ.EXE
• AYAGENT.AYE
• AYSERVICENT.AYE
• BC5CA6A.EXE
• BDAGENT.EXE
• BDSS.EXE
• BOOTSAFE.EXE
• BOXMOD.EXE
• BUSCAREG.EXE
• CAFW.EXE
• CAGLOBALLIGHT.EXE
• CAPFASEM.EXE
• CAPFUPGRADE.EXE
• CATCHME.EXE
• CATEYE.EXE
• CAVASM.EXE
• CCENTER.EXE
• CCLEANER.EXE
• CCPROVSP.EXE
• CCSETUP210.EXE
• CCTRAY.EXE
• CF9409.EXE
• CFGMNG32.EXE
• CLAMTRAY.EXE
• CLAMWIN.EXE
• CMAIN.EXE
• CMDAGENT.EXE
• COMBOFIX.BAT
• COMBOFIX.COM
• COMBOFIX.EXE
• COMBOFIX.SCR
• COMMAND.COM
• COMPAQ_PROPIETARIO.EXE
• CPF.EXE
• CPORTS.EXE
• CPROCESS.EXE
• CUREIT.EXE
• DAFT.EXE
• DARKSPY105.EXE
• DEFWATCH.EXE
• DELAYDELFILE.EXE
• DLLCOMPARE.EXE
• DRWEB32W.EXE
• DRWEBSCD.EXE
• DUBATOOL_AV_KILLER.EXE
• ELISTA.EXE
• EMLPROUI.EXE
• EMLPROXY.EXE
• EULALYZERSETUP.EXE
• F-PROT.EXE
• F-PROT95.EXE
• F-STOPW.EXE
• FAMEH32.EXE
• FAST.EXE
• FCH32.EXE
• FIH32.EXE
• FILEALYZ.EXE
• FILEFIND.EXE
• FILELOCKSETUP.EXE
• FILEMONSV.EXE
• FIXBAGLE.EXE
• FIXPATH.EXE
• FNRB32.EXE
• FOLDERCURE.EXE
• FP-WIN.EXE
• FPAVSERVER.EXE
• FPORT.EXE
• FPROT.EXE
• FPROTTRAY.EXE
• FPWIN.EXE
• FSAA.EXE
• FSAUA.EXE
• FSAV.EXE
• FSAV32.EXE
• FSAV530STBYB.EXE
• FSAV530WTBYB.EXE
• FSAV95.EXE
• FSB.EXE
• FSBL.EXE
• FSDFWD.EXE
• FSGK32.EXE
• FSGK32ST.EXE
• FSM32.EXE
• FSMA32.EXE
• FSMB32.EXE
• GDFIREWALLTRAY.EXE
• GDFIRE~1.EXE
• GDFWSVC.EXE
• GMER.EXE
• GUARD.EXE
• GUARDXKICKOFF.EXE
• GUARDXSERVICE.EXE
• HACKMON.EXE
• HELIOS.EXE
• HFACSVC.EXE
• HIJACK-THIS.EXE
• HIJACKTHIS.EXE
• HIJACKTHIS_SFX.EXE
• HIJACKTHIS_V2.EXE
• HJ.EXE
• HJTINSTALL.EXE
• HJTSETUP.EXE
• HOOKANLZ.EXE
• HOSTSFILEREADER.EXE
• HOSTSXPERT.EXE
• HPCSVC.EXE
• HSVCMOD.EXE
• ICESWORD.EXE
• IEFIX.EXE
• INICIO.EXE
• INSTALLWATCHPRO25.EXE
• ISSDM_EN_32.EXE
• ITMRTSVC.EXE
• JAJA.EXE
• K7EMLPXY.EXE
• K7FWSRVC.EXE
• K7PSSRVC.EXE
• K7RTSCAN.EXE
• K7SPMSRC.EXE
• K7SYSTRY.EXE
• K7TS_SETUP.EXE
• K7TSECURITY.EXE
• K7TSMNGR.EXE
• KAKASETUPV6.EXE
• KASMAIN.EXE
• KAV.EXE
• KAV32.EXE
• KAVPFW.EXE
• KAVSTART.EXE
• KAVSVC.EXE
• KILLAUTOPLUS.EXE
• KILLBOX.EXE
• KISSVC.EXE
• KPFW32.EXE
• KPFWSVC.EXE
• KVMONXP.KXP
• KVOL.EXE
• KVSRVXP.EXE
• KVXP.KXP
• KWATCH.EXE
• LISTO.EXE
• LIVESRV.EXE
• LORDPE.EXE
• MAKEREPORT.EXE
• MBAM-SETUP.EXE
• MBAM.EXE
• MCAGENT.EXE
• MCSHIELD.EXE
• MCUPDATE.EXE
• MCVSRTE.EXE
• MCVSSHLD.EXE
• MDMCLS32.EXE
• MKS_MAIL.EXE
• MKS_SCAN.EXE
• MKSADMINCONSOLE.EXE
• MKSFWALL.EXE
• MKSPC.EXE
• MKSREGMON.EXE
• MKSTRAY.EXE
• MKSUPDATE.EXE
• MKSVIRMONSVC.EXE
• MMC.EXE
• MRT.EXE
• MRTSTUB.EXE
• MSASCUI.EXE
• MSMPENG.EXE
• MSNCLEANER.EXE
• MSNFIX.EXE
• MYPHOTOKILLER.EXE
• NAVQSCAN.EXE
• NETALYZ.EXE
• NETMONSV.EXE
• NETSTAT.EXE
• NMAIN.EXE
• NOD32.EXE
• NOD32CC.EXE
• NOD32KRN.EXE
• NOD32KUI.EXE
• NOD32M2.EXE
• NPCGREENAGENT.NPC
• NSAVSVC.NPC
• NSPMAIN.EXE
• NSPSVC.EXE
• NSPUPDT.EXE
• NSPUPSVC.EXE
• NSUTILITY.EXE
• NSVMON.NPC
• NTVDM.EXE
• OBJMONSETUP.EXE
• OLLYDBG.EXE
• ONLINENT.EXE
• ONLNSVC.EXE
• OP_MON.EXE
• OTMOVEIT.EXE
• OTMOVEIT3.EXE
• P08PROMO.EXE
• PAVARK.EXE
• PAVBCKPT.EXE
• PAVFNSVR.EXE
• PAVPRSRV.EXE
• PAVSRV51.EXE
• PCTAV.EXE
• PCTAVSVC.EXE
• PCTSAUXS.EXE
• PCTSGUI.EXE
• PCTSSVC.EXE
• PCTSTRAY.EXE
• PENCLEAN.EXE
• PG2.EXE
• PGSETUP.EXE
• PORTDETECTIVE.EXE
• PORTMONITOR.EXE
• PPCLTPRIV.EXE
• PROCDUMP.EXE
• PROCESSMONITOR.EXE
• PROCEXP.EXE
• PROCMON.EXE
• PROJECTWHOISINSTALLER.EXE
• PSCTRLS.EXE
• PSHOST.EXE
• PSIMSVC.EXE
• PSKILL.EXE
• PSKMSSVC.EXE
• PUSCAN.EXE
• PXAGENT.EXE
• PXCONSOLE.EXE
• QHFW332.EXE
• QOELOADER.EXE
• QUHLPSVC.EXE
• RAV.EXE
• RAVLITE.EXE
• RAVMOND.EXE
• RAVP.EXE
• RAVTASK.EXE
• REANIMATOR.EXE
• REG.EXE
• REGALYZ.EXE
• REGCOOL.EXE
• REGEDIT.COM
• REGEDIT.EXE
• REGEDIT.SCR
• REGISTRAR_LITE.EXE
• REGMON.EXE
• REGSCANNER.EXE
• REGSHOT.EXE
• REGUNLOCKER.EXE
• REGX2.EXE
• RKD.EXE
• ROOTALYZER.EXE
• ROOTKIT_DETECTIVE.EXE
• ROOTKITBUSTER.EXE
• ROOTKITNO.EXE
• ROOTKITREVEALER.EXE
• RTVSCAN.EXE
• SAFEBOOTKEYREPAIR.EXE
• SAVADMINSERVICE.EXE
• SAVSERVICE.EXE
• SBAMSVC.EXE
• SBAMTRAY.EXE
• SBAMUI.EXE
• SCANMSG.EXE
• SCANWSCS.EXE
• SCFMANAGER.EXE
• SCFSERVICE.EXE
• SCHED.EXE
• SDFIX.EXE
• SEEM.EXE
• SENSOR.EXE
• SFCTLCOM.EXE
• SPF.EXE
• SPIDERML.EXE
• SPIDERNT.EXE
• SPIDERUI.EXE
• SPYBOTSD.EXE
• SPYBOTSD160.EXE
• SRENGLDR.EXE
• SRENGPS.EXE
• SRESTORE.EXE
• SRVLOAD.EXE
• STARTDRECK.EXE
• STRTSVC.EXE
• SUPERANTISPYWARE.EXE
• SUPERKILLER.EXE
• SVCPRS32.EXE
• SYSANALYZER_SETUP.EXE
• TASKKILL.EXE
• TASKLIST.EXE
• TASKMAN.EXE
• TASKMON.EXE
• TASKSCHEDULER.EXE
• TCPVIEW.EXE
• TEATIMER.EXE
• TISSPWIZ.EXE
• TMBMSRV.EXE
• TMPFW.EXE
• TMPROXY.EXE
• TNBUTIL.EXE
• TPSRV.EXE
• TrendMicro_TISPro_16.1_1063_x32.EXE
• TSCFCOMMANDER.EXE
• TSNTEVAL.EXE
• UFNAVI.EXE
• UFSEAGNT.EXE
• UISCAN.EXE
• ULIBCFG.EXE
• UMXAGENT.EXE
• UMXCFG.EXE
• UMXFWHLP.EXE
• UMXPOL.EXE
• UNHACKME.EXE
• UNIEXTRACT.EXE
• UNLOCKER1.8.7.EXE
• UPDATE.EXE
• UPSCHD.EXE
• VBA32-PERSONAL-LATEST-ENGLISH.EXE
• VBA32ADS.EXE
• VBA32LDR.EXE
• VIPRE.EXE
• VIRUS.EXE
• VIRUSUTILITIES.EXE
• VRFWSVC.EXE
• VRMONNT.EXE
• VRMONSVC.EXE
• VSMON.EXE
• VSSERV.EXE
• WEBPROXY.EXE
• WINDOWS-KB890930-V2.2.EXE
• WIRESHARK.EXE
• WITSETUP.EXE
• XCOMMSVR.EXE
• XP_TASKMGRENAB.EXE
• ZLCLIENT.EXE

NOTES:

Backdoor Routine

This worm connects to any of the following Internet Relay Chat (IRC) servers:

• {BLOCKED}a.taybasoft.com

It executes the following commands from a remote malicious user:

• Connect to malicious sites to download files or updates of itself
• Create processes
• Kill processes or threads
• Scan ports

Download Routine

This worm connects to the following proxy sites:

• http://www.{BLOCKED}e.net/cgi-bin/envchk/prxjdg.cgi
• http://{BLOCKED}o.hp.infoseek.co.jp/cgi-bin/nph/prxjdg.cgi
• http://www.{BLOCKED}sy.com/cgi-bin/prxjdg.cgi
• http://www.{BLOCKED}p.info/cgi-bin/prxjdg.cgi
• http://{BLOCKED}tegod.com/cgi-bin/prxjdg.cgi
• http://www16.{BLOCKED}2.com/home/aquemai/cgi-bin/prxjdg.cgi
• http://{BLOCKED}.{BLOCKED}.22.245/prxjdg.cgi
• http://www.{BLOCKED}n.to/cgi-bin/prxjdg.cgi
• http://{BLOCKED}ys.ru/img/prxjdg.cgi

It connects to the following websites to download and execute a malicious file:

• http://b.{BLOCKED}g.net/xxudv.exe - detected as WORM_PALEVO.SMS

It saves the file it downloads using the following name:

• %System Root%\xdx.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

As of this writing, the said sites are inaccessible.

Other Details

This worm uses port 6939 in order to connect to the IRC server mentioned above.

It joins the following channel:

• #!,#Ma

• Operating System Version
• Service Pack installed
• IP address
• Local information

• NICK [N00_{Country}_{OS}_{random numbers}]
• USER {Service Pack}-{random numbers}
• PASS laorosr

• ARG
• CHN
• CZE
• DAN
• DEU
• ESP
• FIN
• FRA
• HUN
• ITA
• JAP
• KOR
• NLD
• NOR
• PLK
• PRT
• RUS
• SVE
• TUR
• USA
• VEN
• XXX

• 2K
• 2K3
• 95
• 98
• ME
• NT
• WIN
• XP

• %Windows%/lfffile32.log