Malware Net-Worm.Win32.Kolab.ylu

Posted: August 30, 2012 in Encyclopedia viruses
Tags:

Virus AlertMalware Net-Worm.Win32.Kolab.ylu – This worm copies itself to removable drives, as well as download and install other software on the victim machine without the user’s knowledge.

Technical details

This worm copies itself to removable drives, as well as download and install other software on the victim machine without the user’s knowledge. It is a Windows (PE-DLL) file. Has a size of 60,928 bytes. Packed with an unknown packer. Unpacked size – about 136 KB. Written in C + +.

Installation

Copies its body to the temporary directory of the current user name: <>% Temp% \ srv . Tmp where – a random set of numbers and letters of the Latin alphabet, such as “7E4” or “1E8”.

To automatically run the worm copies created at each time the system creates a service, which is the responsibility of the registry key:

[HKLM \ System \ CurrentControlSet \ Services \ srv ]

In a separate thread worm continuously restores the record of his service in the registry. To work in safe mode, the worm creates the following registry entry:

[HKLM \ System \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ srv ] “(default)” = “service”

Distribution

The worm has the following mechanisms for distribution:

Spread across the infected computer, using the vulnerability MS08-067.

The worm copies its body to all writable removable drives connected to an infected computer:

: \ setup50045.fon

It also creates files:

: \ myporno.avi.lnk
: \ pornmovs.lnk
: \ setup50045.lnk

Which are designed to run the worm.

Along with his copy of the worm puts the root of an infected disk file:

: \ autorun.inf

This file provides the worm is run every time the user opens the infected disk using the “Explorer”.

The created files are named attributes “hidden” and “system.”

Destructive activity

The worm does injects its code into the system process:

spoolsv.exe

Responsible for the service:

spooler

Then in different threads performing the installation and distribution. Worm your settings are stored in this file:

% Temp% \ srv . Initiative

Which contains the following lines:

[Main] source = 1 affid = 50045 id = bbbbbbbbbbbb server = http://195. **. *** .136 / Downloaded = 1

where – value “MachineGuid” in the registry key:

[HKLM \ Software \ Microsoft \ Cryptography]

The worm turns at the following URL address:

http://195. ***. *** .138/service/listener.php? affid = 50045

And is downloading third-party software at the following URL address:

http://195. ***. *** .139/service/scripts/files/aff_50045.dal

At the time of writing, the different versions of malicious programs loaded family Trojan-Dropper.Win32.TDSS.

The downloaded file will be saved in the temporary directory of the current user:

% Temp% \ . TMP

where – a random set of numbers and letters of the alphabet. The worm then executes the downloaded file.

Removal

If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:

Stop the service:

spooler

To do this, run the following command:

sc stop spooler

Remove registry keys:

[HKLM \ System \ CurrentControlSet \ Services \ srv ]
[HKLM \ System \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ srv ]

Delete files:

% Temp% \ srv . Tmp% Temp% \ srv . Ini
: \ setup50045.fon
: \ myporno.avi.lnk
: \ pornmovs.lnk
: \ setup50045.lnk
: \ autorun.inf% Temp% \ . Tmp

Delete the original worm file (the location of the victim will depend on how the program originally penetrated the victim machine).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s