What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameWorm.Kolabc.WN
TypeWorm
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum65CF5D3BC5EFD0D4FFCF83BFB59BA33B
Static fileyes
Filesize52,624 Bytes
Alias names
(also known as)
Webwasher ProactiveWin32.Malware.gen!90
Protection
Webwasher Anti Malware7000.3203.x
Webwasher ProactiveDatabase Version: 91
Side effects
  • Downloads malicious files
  • Registry modification
  • Steals information
  • Third party control
Propagation
  • Local network
  • Mapped network drives

Description:

Files

It drops a copy of itself using a filename from a list:
– To: %SYSDIR%\ Using one of the following names:
• winamp.exe
• winIogon.exe
• firewall.exe
• spooIsv.exe
• spoolsvc.exe
• Isass.exe
• lssas.exe
• algs.exe
• logon.exe
• iexplore.exe




The following file is created:

%malware execution directory%:\%five-digit random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.



It tries to download some files:

– The location is the following:
• http://alwayssam**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
• http://alwayssam**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
• http://alwayssam**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too.

– The location is the following:
• http://zonetech**********
It is saved on the local hard drive under: %SYSDIR%\%random character string%.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. This batch file is used to delete a file.
Registry

The following registry keys are added in order to run the processes after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• Windows Network Firewall="%SYSDIR%\firewall.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "Microsoft Internet Explorer"="%SYSDIR%\iexplore.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "Winamp Agent"="%SYSDIR%\winamp.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "Client Server Runtime Process"="%SYSDIR%\csrs.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "Spooler SubSystem App"="%SYSDIR%\spoolsvc.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "Windows Logon Application"="%SYSDIR%\winIogon.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
• "Windows Logon Application"="%SYSDIR%\logon.exe"

Network Infection

In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops copies of itself to the following network shares:
• IPC$
• print$
• C$\Documents and Settings\All Users\Documents\$
• admin$
• Admin$\system32
• c$\windows\system32
• c$\winnt\system32
• c$\windows
• c$\winnt
• e$\shared
• d$\shared
• c$\shared


It uses the following login information in order to gain access to the remote machine:

– The following list of usernames:
• staff; teacher; owner; student; intranet; lan; main; office; control;
siemens; compaq; dell; cisco; ibm; oracle; sql; data; access;
database; domain; god; backup; technical; mary; katie; kate; george;
eric; none; guest; chris; ian; neil; lee; brian; susan; sue; sam;
luke; peter; john; mike; bill; fred; joe; jen; bob; wwwadmin; oemuser;
user; homeuser; home; internet; www; web; root; server; linux; unix;
computer; adm; admin; admins; administrat; administrateur;
administrador; administrator

– The following list of passwords:
• winpass; blank; nokia; orainstall; sqlpassoainstall; databasepassword;
databasepass; dbpassword; dbpass; domainpassword; domainpass; hello;
hell; love; money; slut; bitch; fuck; exchange; loginpass; login; qwe;
zxc; asd; qaz; win2000; winnt; winxp; win2k; win98; windows;
oeminstall; oem; accounting; accounts; letmein; sex; outlook; mail;
qwerty; temp123; temp; null; default; changeme; demo; test; secret;
payday; deadline; work; pwd; pass; pass1234; dba; passwd; password;
password1



Infection process:
Creates a TFTP or FTP script on the compromised machine in order to download the malware to the remote location.

Stealing

It tries to steal the following information:
– Passwords typed into 'password input fields'
– Recorded passwords used by the AutoComplete function

– Passwords from the following programs:
• UnrealIRCD
• Steam
• World Of Warcraft
• Conquer Online

– It uses a network sniffer that checks for the following strings:
• irc operator; paypal; paypal.com; cd key; cd-key; cdkey; passwort;
auth; sxt; login; pass=; login=; password=; username=; passwd=; :auth;
identify; oper; MailPass; pass; unknown; user

IRC

To deliver system information and to provide remote control it connects to the following IRC Servers:

Server: hub.54**********
Port: 1863
Channel: #las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof
Password: stseelkvyyrucnss

Server: xx.ka3**********
Port: 5190
Channel: #las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof

Server: p.ircs**********
Port: 8080
Channel: #las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof

Server: n.ircs**********
Port: 5555
Channel: #las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof

Server: xx.sql**********
Port: 7000
Channel: las6;#rs2;#fox;# 63;# kok6
Nickname: Cyzuzeof



– This malware has the ability to collect and send information such as:
• Current user
• Free disk space
• Free memory
• Malware uptime
• Information about the network
• Username
• Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
• connect to IRC server
• disconnect from IRC server
• Join IRC channel
• Leave IRC channel
• Upload file

File details

Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• WinUpack
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.