Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:Worm/Kolab.fhi.3
Date discovered:09/12/2009
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:196.096 Bytes
MD5 checksum:d93c0dea37ebfacb9d475085b712fad0
IVDF version:7.10.01.206 - Wednesday, December 9, 2009

 General Method of propagation:
   • Email


Aliases:
   •  Panda: W32/Kolabc.AW.worm
   •  Eset: Win32/Delf.OXF
   •  Bitdefender: IRC-Worm.Generic.8682


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %SYSDIR%\msvmcls64.exe




It tries to download some files:

– The location is the following:
   • http://93.174.95.145/spm/**********?id=%number%&tick=%number%&ver=486&smtp=%character string%


– The location is the following:
   • http://93.174.95.145/spm/**********?task=%number%&id=%number%

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "MS Virtual CLS"="%SYSDIR%\msvmcls64.exe"



The following registry key is added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
   • "host"="93.174.95.145"
   • "id"="23318476078427455795981961071089"
   • "ii"="1"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.


Body:
– Contains HTML code.


Attachment:

The attachment is a copy of the malware itself.

 Mailing MX Server:
It has the ability to contact one of the following MX servers:
   • hotmail.com
   • yahoo.com
   • aol.com
   • google.com
   • mail.com

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Wednesday, March 31, 2010
Description updated by Petre Galan on Wednesday, March 31, 2010

Back . . . .