Malware Net-Worm.Win32.Kolab.ylu – This worm copies itself to removable drives, as well as download and install other software on the victim machine without the user’s knowledge.
Technical details
This worm copies itself to removable drives, as well as download and install other software on the victim machine without the user’s knowledge. It is a Windows (PE-DLL) file. Has a size of 60,928 bytes. Packed with an unknown packer. Unpacked size – about 136 KB. Written in C + +.
Installation
Copies its body to the temporary directory of the current user name: <>% Temp% \ srv . Tmp where – a random set of numbers and letters of the Latin alphabet, such as “7E4” or “1E8”.
To automatically run the worm copies created at each time the system creates a service, which is the responsibility of the registry key:
[HKLM \ System \ CurrentControlSet \ Services \ srv ]
In a separate thread worm continuously restores the record of his service in the registry. To work in safe mode, the worm creates the following registry entry:
[HKLM \ System \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ srv ] “(default)” = “service”
Distribution
The worm has the following mechanisms for distribution:
Spread across the infected computer, using the vulnerability MS08-067.
The worm copies its body to all writable removable drives connected to an infected computer:
: \ setup50045.fon
It also creates files:
: \ myporno.avi.lnk
: \ pornmovs.lnk
: \ setup50045.lnk
Which are designed to run the worm.
Along with his copy of the worm puts the root of an infected disk file:
: \ autorun.inf
This file provides the worm is run every time the user opens the infected disk using the “Explorer”.
The created files are named attributes “hidden” and “system.”
Destructive activity
The worm does injects its code into the system process:
spoolsv.exe
Responsible for the service:
spooler
Then in different threads performing the installation and distribution. Worm your settings are stored in this file:
% Temp% \ srv . Initiative
Which contains the following lines:
[Main] source = 1 affid = 50045 id = bbbbbbbbbbbb server = http://195. **. *** .136 / Downloaded = 1
where – value “MachineGuid” in the registry key:
[HKLM \ Software \ Microsoft \ Cryptography]
The worm turns at the following URL address:
http://195. ***. *** .138/service/listener.php? affid = 50045
And is downloading third-party software at the following URL address:
http://195. ***. *** .139/service/scripts/files/aff_50045.dal
At the time of writing, the different versions of malicious programs loaded family Trojan-Dropper.Win32.TDSS.
The downloaded file will be saved in the temporary directory of the current user:
% Temp% \ . TMP
where – a random set of numbers and letters of the alphabet. The worm then executes the downloaded file.
Removal
If your computer was not protected by Antivirus and is infected with this malware, then to delete the following:
Stop the service:
spooler
To do this, run the following command:
sc stop spooler
Remove registry keys:
[HKLM \ System \ CurrentControlSet \ Services \ srv ]
[HKLM \ System \ CurrentControlSet \ Control \ SafeBoot \ Minimal \ srv ]
Delete files:
% Temp% \ srv . Tmp% Temp% \ srv . Ini
: \ setup50045.fon
: \ myporno.avi.lnk
: \ pornmovs.lnk
: \ setup50045.lnk
: \ autorun.inf% Temp% \ . Tmp
Delete the original worm file (the location of the victim will depend on how the program originally penetrated the victim machine).