WORM_KOLAB.HC
Troj/Nyrate-L (Sophos), W32/Kryptik.ANN!tr (Fortinet) ,W32/FraudLoad.B.gen!Eldorado (generic, not disinfectable) (Fprot) ,Worm:Win32/Rimecud.B (Microsoft) ,W32/Rimecud.gen.bm (McAfee) ,a variant of Win32/Injector.AWY trojan (Eset) ,W32.Pilleuz (Symantec) ,Generic (Panda)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Propagates via instant messaging applications, Propagates via flashdrives, Propagates via peer-to-peer networks
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
332,295 bytes
EXE
02 Oct 2012
Compromises system security
Arrival Details
This worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following non-malicious files:
- %System Root%\RECYCLER\{SID}\Desktop.ini
- {drive letter}:\usecure\Desktop.ini
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It drops the following copies of itself into the affected system:
- %System Root%\RECYCLER\{SID}\MsMxEng.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %System Root%\RECYCLER\{SID}
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Taskman = "%System Root%\RECYCLER\{SID}\MsMxEng.exe"
Propagation
This worm creates the following folders in all removable drives:
- usecure
It drops the following copy(ies) of itself in all removable drives:
- usecure\usecure32.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
;{garbage code}
[autorun
;{garbage code}
open=usecure/usecure32.exe
;{garbage code}
icon=%SystemRoot%\system32\SHELL32.dll,4
;{garbage code}
action=Open folder to view files using Windows Explorer
;{garbage code}
USEAUToplay=1
;{garbage code}
shell\open\\command=usecure/usecure32.exe
;{garbage code}
shell\\explore\command=usecure/usecure32.exe
;{garbage code}
Other Details
This worm connects to the following possibly malicious URL:
- {BLOCKED}mind.cn
- {BLOCKED}racypetition.com
- {BLOCKED}slounge.com