WORM_KOLAB.SMI

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\igfxdw32.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• S3xY!

It injects itself into the following processes as part of its memory residency routine:

• explorer.exe

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Intel WLAN Service = %System%\igfxdw32.exe

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%System%\igfxdw32.exe = DisableNXShowUI

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\DomainProfile\AuthorizedApplications\
List
%System%\igfxdw32.exe = %System%\igfxdw32.exe:*:Enabled:xLAN

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%System%\igfxdw32.exe = %System%\igfxdw32.exe:*:Enabled:xLAN

Propagation

This worm drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

;{garbage characters}
[AutoRun]
;{garbage characters}
open=~TempCfg\cf-p860165.exe
;{garbage characters}
icon=%windir%\system32\SHELL32.dll,4
;{garbage characters}
action=Open drive to view files with Explorer
;{garbage characters}
shell\open=Open
;{garbage characters}
shell\open\command=~TempCfg\cf-p860165.exe
;{garbage characters}
shell\open\default=1
;{garbage characters}
shell\explore=Explore
;{garbage characters}
shell\explore\command=~TempCfg\cf-p860165.exe
;{garbage characters}
shell\search=Search...
;{garbage characters}
shell\search\command=~TempCfg\cf-p860165.exe
;{garbage characters}
useautoplay=1
;{garbage characters}

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• download and execute files
• download updated copy of itself

It connects to the following websites to send and receive information:

• sv{random}.{BLOCKED}ecurity.su

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• BILLY.EXE
• HIJACKTHIS.EXE
• MPCMDRUN.EXE
• MRT.EXE
• MRTSTUB.EXE
• MSASCUI.EXE
• MSMPENG.EXE
• TCPVIEW.EXE
• TEATIMER.EXE
• USBGUARD.EXE

It terminates processes or services that contain any of the following strings if found running in the affected system's memory:

• acs
• aim
• ashserv
• avg
• avguard
• cmdagent
• cmmon32.exe
• drive32.exe
• drwebcom
• dwengine
• ekrn
• googletalk
• icq.exe
• k7rtscan
• kpf4
• mbamservice
• mcshield
• msmsgs
• msnmsgr
• msvmiode.exe
• nod32krn
• outpost
• paltalk.exe
• prevx
• rtvscan
• rvhost.exe
• savservice
• sbpflnch
• serivces.exe
• skype
• smc
• spidernt
• spysweeper
• tmpfw
• ttqrm.exe
• txyrm.exe
• uiWatchDog.exe
• usbmngr.exe
• vsmon
• vsserv
• windefender.exe
• xfire.exe
• yahoom
• ymsgr_tray.exe

Download Routine

This worm downloads an updated copy of itself from the following website(s):

• http://vps{random}.{BLOCKED}ackupsvc.su/net/p1.exe

NOTES:

It does not continue its routine under the following conditions:

• Filename of the sample executed is any of the following:
  • malware
  • sample
  • sand-box
  • test
  • virus
• Computer name or username is any of the following:
  • DELL-D3E62F7E26
  • HOME-OFF-D5F0AC
  • KAKAPROU-6405DA
  • Malekal
  • MORTE
  • VMG-CLIENT
• The value of 0 under the the registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum contains any of the following strings:
  • QEMU
  • VBox
  • Virtual
  • VMware
• A process that contains any of the following strings is running in the affected system:
  • cports.exe
  • dumpcap.exe
  • filemon.exe
  • port
  • procdump.exe
  • procexp.exe
  • procmon.exe
  • regmon.exe
  • regshot.exe
  • sandbox
  • sbiectrl.exe
  • squid.exe
  • tcpview
  • vbox
  • vmsrvc
  • vmware
  • wireshark.exe
• A window with any of the following titles is found:
  • CurrPorts
  • Microsoft Network Monitor 3.3
  • Process Monitor - Sysinternals: www.sysinternals.com
  • PROCEXPL
  • Regshot 1.8.2
  • SmartSniff
  • The Wireshark Network Analyzer