New Worm.Win32.Kolab.D, spreading thanks to Berlusconi.

This new Worm is spreading through mails containing a link easily mistaken for a YouTube one.

This new Worm, named Worm.Win32.Kolab.D, spread itself through an e-mail regarding a new "scoop" on BERLUSCONI and one of his Escorts.

The e-mail contains a link to a video that asks for the download of a CODEC to view it.
The link could be easily mistaken with a youtube one.

By clicking on the link of the "Codec" you will download and execute Worm.Win32.Kolab.D.

We strongly recommend to decline any codec installation, at least if you're not sure of what you're doing.


Here's a brief analysis of the worm:

Once opened the file, it will be asked to install wmpcodec.exe (1.822.720 byte) that is the fake codec "required" to view the "video".

Worm.Win32.Kolab.D wmpcodec.exe (1.822.720 byte), after being excuted, install a copy of itself called windows.exe (1.822.720 byte) inside %SYSTEMROOT%\system32\windows.exe as a hidden system file.
Worm.Win32.Kolab.D , windows.exe (1.822.720 byte), edit the following registry keys to be executed at windows startup:



inserting this value in both:

Microsoft Windows Security = windows.exe

Also, it downloads this hidden file


  • #treibu (8.752 byte)

#treibu is a keylogger log file that save every operation done by the user;

The log file will be similar to this :

[6-25-2009 10:52:45]  (Changed Windows: Outlook Express)
[6-25-2009 10:53:48]  (Changed Windows: )
[6-25-2009 10:54:3]  (Changed Windows: Senza nome - Blocco note)
[6-25-2009 10:54:12]  (Changed Windows: Trova)
[6-25-2009 10:54:45] v[CTRL] (Changed Windows: Blocco note)
[6-25-2009 10:54:46]  (Changed Windows: Trova)
[6-25-2009 10:54:47]  (Changed Windows: )
[6-25-2009 10:54:48]  (Changed Windows: )
[6-25-2009 10:54:48]  (Changed Windows: Menu Avvio)
[6-25-2009 10:54:51]  (Changed Windows: )
[6-25-2009 10:54:58]  (Changed Windows: Risultati ricerca)




Worm.Win32.Kolab.D will create a connection to the following IP address:


through the port number 6667 .


Informations regarding the IP:

IP address:           
Reverse DNS:                    p0wned.de.
Reverse DNS authenticity:       [Verified]
ASN:                            16276
ASN Name:                       OVH (OVH)
IP range connectivity:          19
Registrar (per ASN):            RIPE
Country (per IP registrar):     FR [France]
Country Currency:               EUR [euros]
Country IP Range:      to
Country fraud profile:          Normal
City (per outside source):      Unknown
Country (per outside source):   FR [France]
Private (internal) IP?          No
IP address registrar:           whois.ripe.net
Known Proxy?                    No
Link for WHOIS:       






We think it would be useful to remind you that this is not the first virus/malware against Silvio Berlusconi. In 1994, during his first appearance in italian politics, another virus had been found and named Berlusconi virus.
Berlusconi virus was, because now it is extinct, a viral code that infected .COM files and that showed this message every 27 march:

"Freedom is Slavery: Berlusconi ti guarda"

while listening to the anthem of  "Forza Italia".

Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center)
by TG Soft

Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: