Worm.Kolabc.A

Worm.Kolabc.A is a malicious worm which spreads through removable drives and other network connected PCs by exploiting their weaknesses and susceptibilities. This worm contains backdoor functionality which will ultimately allow remote access and complete control of the infected PC to remote and faceless hackers. Worm.Kolabc.A was first detected on 15 December 2009, and also operates under various other aliases, namely:

Exploit:Win32/ShellCode.gen!A
Backdoor:Win32/IRCbot.gen!M
W32/Kolab.X
Backdoor.Bot.109216
Win32.HLLW.Piabot.4
Win32/Hatob.E
Net-Worm.Win32.Kolabc.hki
W32/Malware.JJGL
W32/Gaobot.QKW.worm

Although there are no visible symptoms that will inform you of Worm.Kolabc.A’s presence on the system, the following file may indicate that Worm.Kolabc.A is present on the system:

Unwise_.exe

When Worm.Kolabc.A installs itself to the PC, it will drop a copy of itself in the Windows fonts folder, as this example illustrates:

%windir%\fonts\unwise_.exe

Worm.Kolabc.A will also edit the registry in the following way:

Adds value: "msgone"
With data: "%windir%\fonts\unwise_.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions

The worm will also attempt to infect other computers which are connected to the infected PC via a mapped network share. The worm creates a unique ‘Desktop.ini’ file which changes the icon of the worm executable so that it will appear as a ‘recycle bin’ file, which then executes from the original worm executable.

Ultimately Worm.Kolabc.A will provide complete control of the system to its criminal developers, and will modify the Windows Firewall and other security notifications by modifying the system registry. It will also make it much easier for other malicious software and threats to gain entry to the PC. It will attempt to use certain ports such as TCP port 3305 to connect to the following servers to receive further instructions from its developers:

cx10man.weedns.com
fx010413.whyI.org
gynoman.weedns.com
g.0x20.biz
c010x1.co.cc
commgr.co.cc
telephone.dd.blueline.be
phonewire.dd.blueline.be
phonelogin.dd.blueline.be
ufospace.etowns.net

In the end, it is required to permanently delete Worm.Kolabc.A in order to secure your PC’s privacy and security. This is the only way to prevent the destruction that Worm.Kolabc.A will cause to your system. Your privacy will be compromised as all system actions may be recorded and relayed to Worm.Kolabc.A’s developers, making your usernames, passwords and financial and personal info available to faceless criminals. Use a powerful security application to permanently erase Worm.Kolabc.A from the system for good.