News - Malware & Hoax - TG Soft Cyber Security Specialist

25/06/2009
14:39

New Worm.Win32.Kolab.D, spreading thanks to Berlusconi.

This new Worm is spreading through mails containing a link easily mistaken for a YouTube one.

This new Worm, named Worm.Win32.Kolab.D, spread itself through an e-mail regarding a new "scoop" on BERLUSCONI and one of his Escorts.

The e-mail contains a link to a video that asks for the download of a CODEC to view it.
The link could be easily mistaken with a youtube one.

By clicking on the link of the "Codec" you will download and execute Worm.Win32.Kolab.D.

We strongly recommend to decline any codec installation, at least if you're not sure of what you're doing.

Here's a brief analysis of the worm:

Once opened the file, it will be asked to install wmpcodec.exe (1.822.720 byte) that is the fake codec "required" to view the "video".

Worm.Win32.Kolab.D wmpcodec.exe (1.822.720 byte), after being excuted, install a copy of itself called windows.exe (1.822.720 byte) inside %SYSTEMROOT%\system32\windows.exe as a hidden system file.
Worm.Win32.Kolab.D , windows.exe (1.822.720 byte), edit the following registry keys to be executed at windows startup:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

inserting this value in both:

Microsoft Windows Security = windows.exe

Also, it downloads this hidden file

%SYSTEMROOT%\system32\#treibu

#treibu (8.752 byte)

#treibu is a keylogger log file that save every operation done by the user;

The log file will be similar to this :

[6-25-2009 10:52:45] (Changed Windows: Outlook Express)
[6-25-2009 10:53:48] (Changed Windows: )
[6-25-2009 10:54:3] (Changed Windows: Senza nome - Blocco note)
[6-25-2009 10:54:12] (Changed Windows: Trova)
[6-25-2009 10:54:45] v[CTRL] (Changed Windows: Blocco note)
[6-25-2009 10:54:46] (Changed Windows: Trova)
[6-25-2009 10:54:47] (Changed Windows: )
[6-25-2009 10:54:48] (Changed Windows: )
[6-25-2009 10:54:48] (Changed Windows: Menu Avvio)
[6-25-2009 10:54:51] (Changed Windows: )
[6-25-2009 10:54:58] (Changed Windows: Risultati ricerca)

Worm.Win32.Kolab.D will create a connection to the following IP address:

87.98.184.231

through the port number 6667 .

Informations regarding the IP:

IP address:                     87.98.184.231
Reverse DNS:                    p0wned.de.
Reverse DNS authenticity:       [Verified]
ASN:                            16276
ASN Name:                       OVH (OVH)
IP range connectivity:          19
Registrar (per ASN):            RIPE
Country (per IP registrar):     FR [France]
Country Currency:               EUR [euros]
Country IP Range:               87.98.128.0 to 87.98.255.255
Country fraud profile:          Normal
City (per outside source):      Unknown
Country (per outside source):   FR [France]
Private (internal) IP?          No
IP address registrar:           whois.ripe.net
Known Proxy?                    No
Link for WHOIS:                 87.98.184.231

NOTE:

%SYSTEMROOT% = C:\WINDOWS

HKLM = HKEY_LOCAL_MACHINE

We think it would be useful to remind you that this is not the first virus/malware against Silvio Berlusconi. In 1994, during his first appearance in italian politics, another virus had been found and named Berlusconi virus.
Berlusconi virus was, because now it is extinct, a viral code that infected .COM files and that showed this message every 27 march:

"Freedom is Slavery: Berlusconi ti guarda"

while listening to the anthem of "Forza Italia".

Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

This website uses cookies
We use cookies to customize language, content and provide technical functionality. They are NOT used for profiling or reselling to third parties. There are pages where "Google reCaptcha" will be present, even in this case, our purpose is only to be able to ascertain the presence of human interaction and not automatic Bots.

Necessary 5

The necessary cookies help make the website usable by enabling basic functions such as page navigation. The website cannot function properly without these cookies.

ASP.NET_SessionId [x2]
Preserve the user's status on the different pages of the site.

Expiration: Session

Type: HTTP

cookie_accettati [x1]
Stores the user's cookie consent status for the current domain

Expiration: 1 year/s

Type: HTTP

lang [x1]
Stores the selected language

Expiration: 1 year/s

Type: HTTP

ASPSESSIONIDxxxx
Technical cookie for the management of interactions with the user

Expiration: Session

Type: HTTP

Necessary (for use and access to specific areas) 2

Cookie necessary to make certain specific contents usable such as: access to protected areas of the site, sending requests or subscribing to newsletters. The specific features of these sections will not be usable without this cookie.

_GRECAPTCHA [x1]
Necessary to verify human interaction.
Used to send quotes, access restricted areas and all those points where security is a fundamental component.

Expiration: 6 month/s

Type: HTTP

cookie_google [x1]
Flag for acceptance of Google reCAPTCHA cookies

Expiration: 6 month/s

Type: HTTP

Accept the reCAPTCHA Terms of Service:
By accessing or using the reCAPTCHA APIs, you agree to the Google APIs Terms of Use, Goodle Terms of Use, and to the Additional Terms below. Please read and understand all applicable terms and police before accessing the APIs.

reCAPTCHA Terms of Service:
You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and application data and the results of integrity checks, and sending that data to Google for analysis. Pursuant to Section 3(d) of the Google APIs Terms of Service, you agree that if you use the APIs that it is your responsibility to provide any necessary notices or consents for the collection and sharing of this data with Google.

Data collected by reCAPTCHA:
The reCAPTCHA algorithm will check for the presence of a Google cookie (usually _ga)
If not present, a specific reCAPTCHA cookie will be added to the browser of the user and will be captured - pixel by pixel - a complete snapshot image of the user's browser window at that time.
Some of the browser and user information currently collected includes:
All cookies placed by Google in the last 6 months
How many mouse clicks did you make on that screen (or touch if on a touch device)
The CSS information for that page
The exact date
The language in which the browser is set
Any plug-in installed in the browser
All Javascript objects

New Worm.Win32.Kolab.D, spreading thanks to Berlusconi.

Vir.IT eXplorer PRO is certified by the biggest international organisation: