This new Worm, named Worm.Win32.Kolab.D, spread itself through an e-mail regarding a new "scoop" on BERLUSCONI and one of his Escorts.
The e-mail contains a link to a video that asks for the download of a CODEC to view it.
The link could be easily mistaken with a youtube one.
By clicking on the link of the "Codec" you will download and execute Worm.Win32.Kolab.D.
We strongly recommend to decline any codec installation, at least if you're not sure of what you're doing.
Here's a brief analysis of the worm:
Once opened the file, it will be asked to install wmpcodec.exe (1.822.720 byte) that is the fake codec "required" to view the "video".
Worm.Win32.Kolab.D wmpcodec.exe (1.822.720 byte), after being excuted, install a copy of itself called windows.exe (1.822.720 byte) inside %SYSTEMROOT%\system32\windows.exe as a hidden system file.
Worm.Win32.Kolab.D , windows.exe (1.822.720 byte), edit the following registry keys to be executed at windows startup:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
inserting this value in both:
Microsoft Windows Security = windows.exe
Also, it downloads this hidden file
%SYSTEMROOT%\system32\#treibu
#treibu is a keylogger log file that save every operation done by the user;
The log file will be similar to this :
[6-25-2009 10:52:45] (Changed Windows: Outlook Express)
[6-25-2009 10:53:48] (Changed Windows: )
[6-25-2009 10:54:3] (Changed Windows: Senza nome - Blocco note)
[6-25-2009 10:54:12] (Changed Windows: Trova)
[6-25-2009 10:54:45] v[CTRL] (Changed Windows: Blocco note)
[6-25-2009 10:54:46] (Changed Windows: Trova)
[6-25-2009 10:54:47] (Changed Windows: )
[6-25-2009 10:54:48] (Changed Windows: )
[6-25-2009 10:54:48] (Changed Windows: Menu Avvio)
[6-25-2009 10:54:51] (Changed Windows: )
[6-25-2009 10:54:58] (Changed Windows: Risultati ricerca)
Worm.Win32.Kolab.D will create a connection to the following IP address:
through the port number 6667 .
Informations regarding the IP:
IP address: 87.98.184.231
Reverse DNS: p0wned.de.
Reverse DNS authenticity: [Verified]
ASN: 16276
ASN Name: OVH (OVH)
IP range connectivity: 19
Registrar (per ASN): RIPE
Country (per IP registrar): FR [France]
Country Currency: EUR [euros]
Country IP Range: 87.98.128.0 to 87.98.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): FR [France]
Private (internal) IP? No
IP address registrar: whois.ripe.net
Known Proxy? No
Link for WHOIS: 87.98.184.231
NOTE:
%SYSTEMROOT% = C:\WINDOWS
HKLM = HKEY_LOCAL_MACHINE
We think it would be useful to remind you that this is not the first virus/malware against Silvio Berlusconi. In 1994, during his first appearance in italian politics, another virus had been found and named Berlusconi virus.
Berlusconi virus was, because now it is extinct, a viral code that infected .COM files and that showed this message every 27 march:
"Freedom is Slavery: Berlusconi ti guarda"
while listening to the anthem of "Forza Italia".
Analysis by eng. Gianfranco Tonello
C.R.A.M. (Anti-Malware Research Center) by TG Soft