WORM_KOLABC.FI
Windows 98, ME, NT, 2000, XP, Server 2003
Threat Type:
Destructiveness: No
Encrypted:
In the wild: Yes
TECHNICAL DETAILS
142335 bytes
Yes
17 Dec 2009
Installation
This Worm drops the following copies of itself into the affected system:
HKEY_CLASSES_ROOT\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1
(Default)=Accessibility
HKEY_CLASSES_ROOT\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\FLAGS
(Default)=4
HKEY_CLASSES_ROOT\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\win32
(Default)=%System%\oleacc.dll
HKEY_CLASSES_ROOT\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\HELPDIR
(Default)=%Windows%\System32
HKEY_CLASSES_ROOT\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}
(Default)=IAccessibleHandler
HKEY_CLASSES_ROOT\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\ProxyStubClsid
(Default)={00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\ProxyStubClsid32
(Default)={00020424-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
(Default)={1EA4DBF0-3C3B-11CF-810C-00AA00389B71}
HKEY_CLASSES_ROOT\Interface\{03022430-ABC4-11D0-BDE2-00AA001A1953}\TypeLib
Version=1.1- %Fonts%\unwise_.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This Worm registers as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
Other System Modifications
This Worm adds the following registry keys:
SOLUTION
Step 1
Terminate the malware/grayware/spyware process:
Step 2
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry. Before you could do this, you must restart in Safe Mode. For instructions on how to do this, you may refer to this page If the preceding step requires you to restart in safe mode, you may proceed to edit the system registry.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
- Windows Hosts Controller
Step 3
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Shell Extensions
- msgone={malware path and filename}
- intime=12/14/2009, 07:33 AM
- reup=cf8
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\MICROSOFT\Windows\WindowsUpdate
- DoNotAllowXPSP2=1
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\MICROSOFT\WINDOWS NT\Windows File Protection
- SFCDisable=ffffff9d
- SFCScan=0
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Security Center
- AntiVirusDisableNotify=1
- AntiVirusOverride=1
- FirewallDisableNotify=1
- FirewallOverride=1
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\MICROSOFT\MRT
- DontReportInfectionInformation=1
Step 4
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer"s registry.
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\OLE
- From: EnableDCOM=N
+ To: EnableDCOM=Y
- From: EnableDCOM=N
- HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Shell Extensions
- From: reup=cf9
+ To: reup=cf8
- From: reup=cfa
+ To: reup=cf9
- From: reup=cfb
+ To: reup=cfa
- From: reup=cfc
+ To: reup=cfb
- From: reup=cfd
+ To: reup=cfc
- From: reup=cfe
+ To: reup=cfd
- From: reup=cff
+ To: reup=cfe
- From: reup=d00
+ To: reup=cff
- From: reup=d01
+ To: reup=d00
- From: reup=d02
+ To: reup=d01
- From: reup=d04
+ To: reup=d03
- From: reup=d05
+ To: reup=d04
- From: reup=d06
+ To: reup=d05
- From: reup=cf9
Step 5
Search and delete these files
- %Fonts%\unwise_.exe
Note: To do a search for the following files, right-click Start then click Search... or Find..., depending on the version of Windows you are running. For each file to be deleted, type its file name in the Named input box. In the Look In drop-down list, select My Computer, then press Enter.
Step 6
Scan your computer with your Trend Micro product to delete files detected as
WORM_KOLABC.FI
*Note: If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.