Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Kolabc.WN
Date discovered:23/04/2008
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:52.624 Bytes
MD5 checksum:65cf5d3bc5efd0d4ffcf83bfb59ba33b
VDF version:7.00.03.203

 General Methods of propagation:
   • Local network
   • Mapped network drives


Aliases:
   •  Symantec: W32.IRCbot
   •  Mcafee: Puper
   •  Kaspersky: Net-Worm.Win32.Kolabc.wn
   •  F-Secure: Net-Worm.Win32.Kolabc.wn
   •  Panda: W32/Sdbot.LUQ.worm
   •  VirusBuster: Worm.Poebot.OA
   •  Eset: Win32/Poebot.NBF
   •  Bitdefender: Backdoor.IRCBot.ACGJ


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Registry modification
   • Steals information
   • Third party control

 Files It drops a copy of itself using a filename from a list:
– To: %SYSDIR%\ Using one of the following names:
   • winamp.exe
   • winIogon.exe
   • firewall.exe
   • spooIsv.exe
   • spoolsvc.exe
   • Isass.exe
   • lssas.exe
   • algs.exe
   • logon.exe
   • iexplore.exe




The following file is created:

%malware execution directory%:\%five-digit random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download some files:

– The location is the following:
   • http://alwayssam**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://alwayssam**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://alwayssam**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
   • http://zonetech**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. This batch file is used to delete a file.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • Windows Network Firewall="%SYSDIR%\firewall.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Microsoft Internet Explorer"="%SYSDIR%\iexplore.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Winamp Agent"="%SYSDIR%\winamp.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Client Server Runtime Process"="%SYSDIR%\csrs.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Spooler SubSystem App"="%SYSDIR%\spoolsvc.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Logon Application"="%SYSDIR%\winIogon.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Logon Application"="%SYSDIR%\logon.exe"

 Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
   • IPC$
   • print$
   • C$\Documents and Settings\All Users\Documents\$
   • admin$
   • Admin$\system32
   • c$\windows\system32
   • c$\winnt\system32
   • c$\windows
   • c$\winnt
   • e$\shared
   • d$\shared
   • c$\shared


It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
   • staff; teacher; owner; student; intranet; lan; main; office; control;
      siemens; compaq; dell; cisco; ibm; oracle; sql; data; access;
      database; domain; god; backup; technical; mary; katie; kate; george;
      eric; none; guest; chris; ian; neil; lee; brian; susan; sue; sam;
      luke; peter; john; mike; bill; fred; joe; jen; bob; wwwadmin; oemuser;
      user; homeuser; home; internet; www; web; root; server; linux; unix;
      computer; adm; admin; admins; administrat; administrateur;
      administrador; administrator

– The following list of passwords:
   • winpass; blank; nokia; orainstall; sqlpassoainstall; databasepassword;
      databasepass; dbpassword; dbpass; domainpassword; domainpass; hello;
      hell; love; money; slut; bitch; fuck; exchange; loginpass; login; qwe;
      zxc; asd; qaz; win2000; winnt; winxp; win2k; win98; windows;
      oeminstall; oem; accounting; accounts; letmein; sex; outlook; mail;
      qwerty; temp123; temp; null; default; changeme; demo; test; secret;
      payday; deadline; work; pwd; pass; pass1234; dba; passwd; password;
      password1



Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.

 IRC To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: hub.54**********
Port: 1863
Channel: #las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof
Password: stseelkvyyrucnss

Server: xx.ka3**********
Port: 5190
Channel: #las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof

Server: p.ircs**********
Port: 8080
Channel: #las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof

Server: n.ircs**********
Port: 5555
Channel: #las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof

Server: xx.sql**********
Port: 7000
Channel: las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof



– This malware has the ability to collect and send information such as:
    • Current user
    • Free disk space
    • Free memory
    • Malware uptime
    • Information about the network
    • Username
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Join IRC channel
    • Leave IRC channel
    • Upload file

 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'
– Recorded passwords used by the AutoComplete function

– Passwords from the following programs:
   • UnrealIRCD
   • Steam
   • World Of Warcraft
   • Conquer Online

– It uses a network sniffer that checks for the following strings:
   • irc operator; paypal; paypal.com; cd key; cd-key; cdkey; passwort;
      auth; sxt; login; pass=; login=; password=; username=; passwd=; :auth;
      identify; oper; MailPass; pass; unknown; user

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • WinUpack

Description inserted by Alexandru Dinu on Wednesday, July 30, 2008
Description updated by Alexandru Dinu on Wednesday, July 30, 2008

Back . . . .