F-Secure
Tools
Net-Worm:W32/Kolab.QA
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.Additional Details
Net-Worm:W32/Kolab.QA is a worm that functions as an IRC bot, enabling an attacker to use the victim's computer as a proxy or as a tool for conducting Denial of Service (DOS) attacks.
Kolab.QA can also steal information from the infected computer, download additional malware, and give the attacker partial control of the computer.
Execution
When executed, the bot copies itself to the following location:
The original file is then deleted in an attempt to hide the infection. To ensure that the malware is executed every time the computer is started, Kolab.QA creates several registry keys into the system registry.
Activity
When active, Kolab.QA attempts to connect to the following sites:
It attempts to join an IRC-channel that the bot-master operates.
The site, dsn2go.com, is a legitimate service used to provide dynamic DNS for domain owners that do not have a static IP Address. The "hail" and "scorti1" accounts were not online during our investigations.
The attacker can control all connected bots by issuing them commands through the IRC channel. The bot also opens a random port to listen for an incoming TCP connection.
Through the backdoor, the attacker can control the system by, for example, shutting down the operating system, logging off, or rebooting the computer.
The system can also be modified by alterations to services or registry entries. Files can be downloaded and executed, including new versions of the bot for it to update. Denial of Service attacks can be launched and proxy-servers can be created. To spread the worm further, the attacker can order the bots to scan IP addresses or ranges for vulnerable computers.
Kolab.QA is capable of stealing information from infected computers. Information targeted by the bot includes the following:
Kolab.QA can also steal information from the infected computer, download additional malware, and give the attacker partial control of the computer.
Execution
When executed, the bot copies itself to the following location:
- %windir%\system32\msnmanegers.exe
The original file is then deleted in an attempt to hide the infection. To ensure that the malware is executed every time the computer is started, Kolab.QA creates several registry keys into the system registry.
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
hotefix = msnmanegers.exe - HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
hotefix = msnmanegers.exe - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
hotefix = msnmanegers.exe - HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
hotefix = msnmanegers.exe - HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
hotefix = msnmanegers.exe - HKLM\System\CurrentControlSet\Services\hotefix.microsofts
Type = 00000020
Start = 00000002
ErrorControl = 00000001
ImagePath = "C:\WINDOWS\system32\msnmanegers.exe" -netsvcs
DisplayName = hotefix
ObjectName = LocalSystem
FailureActions = \xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00
\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00
Activity
When active, Kolab.QA attempts to connect to the following sites:
- hail.dsn2go.com
- scorti1.dns2go.com
It attempts to join an IRC-channel that the bot-master operates.
The site, dsn2go.com, is a legitimate service used to provide dynamic DNS for domain owners that do not have a static IP Address. The "hail" and "scorti1" accounts were not online during our investigations.
The attacker can control all connected bots by issuing them commands through the IRC channel. The bot also opens a random port to listen for an incoming TCP connection.
Through the backdoor, the attacker can control the system by, for example, shutting down the operating system, logging off, or rebooting the computer.
The system can also be modified by alterations to services or registry entries. Files can be downloaded and executed, including new versions of the bot for it to update. Denial of Service attacks can be launched and proxy-servers can be created. To spread the worm further, the attacker can order the bots to scan IP addresses or ranges for vulnerable computers.
Kolab.QA is capable of stealing information from infected computers. Information targeted by the bot includes the following:
- Battlefield 1942
- Battlefield 1942: Secret Weapons Of WWII
- Battlefield 1942: The Road To Rome
- Battlefield 1942: Vietnam
- Black and White
- CD keys from several popular games
- Command and Conquer: Generals
- Command and Conquer: Generals: Zero Hour
- Command and Conquer: Red Alert2
- Command and Conquer: Tiberian Sun
- Counter-Strike
- FIFA 2002 & 2003
- Freedom Force
- Global Operations
- Gunman Chronicles
- Half-Life
- Hidden and Dangerous 2
- IGI2: Covert Strike
- Industry Giant 2
- James Bond 007: Nightfire
- Medal of Honor: Allied Assault
- Medal of Honor: Allied Assault: Breakthrough
- Medal of Honor: Allied Assault: Spearhead
- Nascar Racing 2002 & 2003
- Need For Speed: Hot Pursuit 2
- Need For Speed: Underground
- Neverwinter Nights
- NHL 2002 & 2003
- Ravenshield
- Shogun: Total War: Warlord Edition
- Soldier Of Fortune 2
- Soldiers Of Anarchy
- The Gladiators
- Unreal Tournament 2003 & 2004
- Windows Product ID
- Usernames for various Instant Messaging applications (AIM, MSN, Yahoo)