Analysis by: MarfelTi
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

This worm connects to specific IRC channels and uses the nick n3t.

It creates the mutex "S3xY!" for its main executable.

It may execute certain commands from a remote malicious user.

This Trojan arrives by connecting affected removable drives to a system. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It connects to a website to send and receive information.

  TECHNICAL DETAILS

File Size: 232,448 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 30 Jun 2011
Payload: Compromises system security, Connects to URLs/IPs

Arrival Details

This Trojan arrives by connecting affected removable drives to a system.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan injects itself into the following processes running in the affected system's memory:

  • Explorer.exe

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • muipcdraotse

Propagation

This Trojan drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open=
icon=%windir%\system32\SHELL32.dll,4
action=Open drive to view files with Explorer
shell\open=Open
shell\open\command=
shell\open\default=1
shell\explore=Explore
shell\explore\command=
shell\search=Search...
shell\search\command=
useautoplay=1

It sends copies of itself to target recipients using the following instant-messaging (IM) applications:

  • Skype
  • Blast IM
  • Paltalk

Backdoor Routine

This Trojan joins any of the following IRC channel(s):

  • ##4ucku

It connects to the following websites to send and receive information:

  • {BLOCKED}7.intelsecurity.su

NOTES:

It connects to specific IRC channels and uses the nick n3t.

It creates the mutex "S3xY!" for its main executable.

It may execute the following commands from a remote malicious user:

  • down_exec
  • IM
  • IMSTOP
  • start-scan
  • stop-scan
  • update
  • visit

    •   SOLUTION

    Minimum Scan Engine: 8.900

    Step 1

    Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

    Step 2

    Restart in Safe Mode

    [ Learn More ]

    Step 3

    Search and delete AUTORUN.INF files created by WORM_KOLAB.SMK that contain these strings

    [ Learn More ]


    [AutoRun]
    open=
    icon=%windir%\system32\SHELL32.dll,4
    action=Open drive to view files with Explorer
    shell\open=Open
    shell\open\command=
    shell\open\default=1
    shell\explore=Explore
    shell\explore\command=
    shell\search=Search...
    shell\search\command=
    useautoplay=1

    Step 4

    Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_KOLAB.SMK. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


    Did this description help? Tell us how we did.