Click on screenshot to zoom
Danger level 6
Type: Worms
Common infection symptoms:
  • Block exe files from running
  • Connects to the internet without permission
  • Installs itself without permissions
  • Slow Computer
  • Slow internet connection
  • System crashes

Worm.Kolabc.A

Worm.Kolabc.A is a malicious worm which spreads through removable drives and other network connected PCs by exploiting their weaknesses and susceptibilities. This worm contains backdoor functionality which will ultimately allow remote access and complete control of the infected PC to remote and faceless hackers. Worm.Kolabc.A was first detected on 15 December 2009, and also operates under various other aliases, namely:

Exploit:Win32/ShellCode.gen!A
Backdoor:Win32/IRCbot.gen!M
W32/Kolab.X
Backdoor.Bot.109216
Win32.HLLW.Piabot.4
Win32/Hatob.E
Net-Worm.Win32.Kolabc.hki
W32/Malware.JJGL
W32/Gaobot.QKW.worm

Although there are no visible symptoms that will inform you of Worm.Kolabc.A’s presence on the system, the following file may indicate that Worm.Kolabc.A is present on the system:

Unwise_.exe

When Worm.Kolabc.A installs itself to the PC, it will drop a copy of itself in the Windows fonts folder, as this example illustrates:

%windir%\fonts\unwise_.exe

Worm.Kolabc.A will also edit the registry in the following way:

Adds value: "msgone"
With data: "%windir%\fonts\unwise_.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions

The worm will also attempt to infect other computers which are connected to the infected PC via a mapped network share. The worm creates a unique ‘Desktop.ini’ file which changes the icon of the worm executable so that it will appear as a ‘recycle bin’ file, which then executes from the original worm executable.

Ultimately Worm.Kolabc.A will provide complete control of the system to its criminal developers, and will modify the Windows Firewall and other security notifications by modifying the system registry. It will also make it much easier for other malicious software and threats to gain entry to the PC. It will attempt to use certain ports such as TCP port 3305 to connect to the following servers to receive further instructions from its developers:

cx10man.weedns.com
fx010413.whyI.org
gynoman.weedns.com
g.0x20.biz
c010x1.co.cc
commgr.co.cc
telephone.dd.blueline.be
phonewire.dd.blueline.be
phonelogin.dd.blueline.be
ufospace.etowns.net

In the end, it is required to permanently delete Worm.Kolabc.A in order to secure your PC’s privacy and security. This is the only way to prevent the destruction that Worm.Kolabc.A will cause to your system. Your privacy will be compromised as all system actions may be recorded and relayed to Worm.Kolabc.A’s developers, making your usernames, passwords and financial and personal info available to faceless criminals. Use a powerful security application to permanently erase Worm.Kolabc.A from the system for good.

Download Spyware Removal Tool to Remove* Worm.Kolabc.A
  • Quick & tested solution for Worm.Kolabc.A removal.
  • 100% Free Scan for Windows
disclaimer

How to manually remove Worm.Kolabc.A

Files associated with Worm.Kolabc.A infection:

e8wb.exe
8pyt.exe
urlmon32.exe
snvztea.exe
e8wb.exe
audiodh.exe
8l964.exe
wmsncs.exe
winupd01.exe
taskmrg32.exe
lsass.exe
csrss.exe
avdrive32.exe
wndrive32.exe
msvmcls64.exe
scvchost.exe
cidrive32.exe
services.exe
xfgn.exe
jjdrive32.exe
sv.exe
sysmngsr322.exe
winupd.exe
iexplorer.exe
wind7upd.exe
715.exe
umdmgr.exe
sysdiag64.exe
file.exe
waw32.exe
ihost.exe
8l964.exe
audiodh.exe
8pyt.exe
wmsncs.exe
snvztea.exe
urlmon32.exe

Worm.Kolabc.A processes to kill:

audiodh.exe
wmsncs.exe
urlmon32.exe
8pyt.exe
urlmon32.exe
snvztea.exe
e8wb.exe
audiodh.exe
8l964.exe
wmsncs.exe
winupd01.exe
taskmrg32.exe
lsass.exe
csrss.exe
avdrive32.exe
wndrive32.exe
msvmcls64.exe
scvchost.exe
cidrive32.exe
services.exe
xfgn.exe
jjdrive32.exe
sv.exe
sysmngsr322.exe
winupd.exe
iexplorer.exe
wind7upd.exe
715.exe
umdmgr.exe
sysdiag64.exe
file.exe
waw32.exe
ihost.exe
8pyt.exe
e8wb.exe
snvztea.exe
8l964.exe

Remove Worm.Kolabc.A registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Microsoft Driver Setup
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ file
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ MicrosoftNAPC
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ 788
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Advanced DHTML Enable
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Windows automatic updates
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ winupdate
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Microsoft Update Setup
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ Windows Management Service
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ MS Virtual CLS
Disclaimer

Post comment — WE NEED YOUR OPINION!

Comment:
Name:
Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.