Net-Worm.Win32.Kolab

Detect Date 04/13/2011
Class Net-Worm
Platform Win32
Description

The worm’s entire payload is executed through a code that is injected into the address space of the process “EXPLORER.EXE”. The payload is not executed if any one of the following conditions is fulfilled:

  • The following branch is missing from the system registry:
    [HKCUControl PanelPowerCfgPowerPolicies]
  • The current user’s account name is:
    USERNAME
    
    
    
    user
    
    
    
    COMPUTERNAME
    
    
    
    CurrentUser
    
    
    
    
  • The following libraries are loaded in the worm’s address space:
    SbieDll.dll
    
    
    
    dbghelp.dll
    
    
    
    api_log.dll
    
    
    
    dir_watch.dll
    
    
    
    pstorec.dll
    
    
    
    
  • The worm’s original file was saved in the system as:
    
    
    
    c:file.exe

    After injecting the malicious code through the process “EXPLORER.EXE”, the following actions are performed:

  • To ensure that the process is unique within the system, a unique identifier is created, which is named:
  • To provide access to the infected system, the following named pipe is created:
    .piperrreokdirjiurururr
  • A connection is established to the malicious user’s server:
    
    
    
    di***ind.cn
    
    
    
    ant***tition.com
    
    
    
    fre***unge.com
    
    
    
    

    Following a command by the malicious user, the worm can perform the following actions on the infected computer:

    • Organize a DoS attack on specified servers.
    • Download files from links sent to it. The downloaded files are saved in the current user’s temporary files directory “%Temp%” using random names.
    • Download updated version of the worm from the malicious user’s server.
    • Analyze files of settings for these browsers:
      
      
      
      Mozilla Firefox
      
      
      
      Internet Explorer
      
      
      
      Google Chrome
      
      
      
      Opera
      
      
      
      

      for the purpose of stealing passwords saved in them.

    • Steal and modify browser cookies. To do this, the worm uses the “sqlite” module built into the browser Mozilla Firefox.
    • The actions described in the “Installation” and “Propagation” sections.

      The worm makes exchanges with the malicious user’s server through messages of the following type:

      
      
      
      Scan stopped
      
      
      
      Scan running
      
      
      
      Scan started
      
      
      
      KB data sent: <number>
      
      
      
      SYN packets sent: <number>
      
      
      
      Flood running
      
      
      
      flood stopped: <string>
      
      
      
      flooding: <string>
      
      
      
      Drive infected: <string>
      
      
      
      USB spreader running
      
      
      
      P2P Copy to: <string>
      
      
      
      MSN spreader running
      
      
      
      MSN spread started, link: <string>MSN link sent
      
      
      
      
    • By command from the malicious user, it is also possible to substitute the “hosts” file:
      %System%driversetchosts

      At the time of writing, the malicious user’s server was not responding.