View my documents ()
 Home > Support > Global Security Advisor 

Virus Detail

Win32/Kollah Family

Date Published:
31 Jul 2008

Last Updated:
3 Aug 2008

Threat Assessment

Overall Risk:   Low
Wild:  Low
Destructiveness:  Medium
Pervasiveness:  None

Characteristics

Type : Trojan

Category : Win32

Also known as:  Spy-Agent (McAfee), Infostealer.Banker (Symantec), Troj/Clagger (Sophos), Packed.Win32.PolyCrypt (Kaspersky), Trojan:Win32/Zbot (MS OneCare), TROJ_ZBOT (Trend)

Immediate Protection Info

 
 
 
Description
Method of Infection
Payload
For additional information:
 

Description

Win32/Kollah is a family of trojans that steal sensitive information.

Back to top

Method of Infection

Some Win32/Kollah variants have been observed to arrive in spam email with subject lines such as:

Online order for airplane ticket N<random number >
Your ticket from {airlines}


The trojan executable generally comes in a compressed file attached to the email. For instance, Win32/Kollah.MU arrives in an archive named "E-ticket_N7399294.zip".


Some examples of the filenames used by the trojan executable include:


Bill_Tax___________________________N89798742344.exe
E-ticket_N7399294_and_Invoice_for_N73992943442.exe
ups_invoice.exe
nax.exe
testing.exe
kostenauflistung.exe
svchosts.exe


Below is an example spam email:


Win32/Kollah variants usually arrive as an attachment to a spam email


When executed, Kollah drops a copy of itself in the %System% directory as "NTOS.EXE" with file attributes set to Read-Only and Archive.


It then adds the following registry entry so that it automatically executes at system startup:


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%System%\userinit.exe,%System%\ntos.exe,"


Additionally, some variants add the following registry entry to automatically start:


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\pathx = "<trojan filepath >"


The trojan constantly monitors the registry created above to ensure its automatic execution.


Win32/Kollah injects code in system processes such as "WINLOGON.EXE", "SERVICES.EXE", "SVCHOST.EXE" and "LSASS.EXE" in order to routinely monitor its load points.


Kollah creates the directory "WSNPOEM" in the %System% directory and drops the following files:


%System%\WSNPOEM\audio.dll
%System%\WSNPOEM\video.dll


The first is a copy of the downloaded configuration file, while the second is later used to store information stolen from the affected system.


Note: %System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32.


Back to top

Payload

Steals Sensitive Information
Win32/Kollah may attempt to steal sensitive information, such as the user's details relating to banking websites. It attempts to download a configuration file from one of the following locations, that also acts as a command and control (C&C) server.


116.0.103.105
181.365soft.info
194.1.152.172
195.189.246.233
203.121.79.51
209.160.33.101
58.22.101.109
58.65.235.4/  
58.65.237.49   
58.65.239.138  
62.176.16.19    
62.176.16.21
66.235.175.5    
66.246.246.83
72.232.48.218
72.237.24.152
75.126.64.8     
75.126.83.148
77.221.133.189  
77.221.133.227  
78.109.21.114   
81.95.145.241
81.95.149.166
81.95.149.74
81.95.150.42
88.255.90.170
88.255.90.170
88.255.94.58
ahleinaks.ru
antispyware-protection.com
baltikaredison.ru
blatundalqik.ru
fixbserver.ru
id1ot.net
martin-golf.net
mvctech.net   
pstcard.pp.ru         
sys1378.3fn.net   
tende.biz         
www.advery.ru        
www.botsystems.net       
www.botxxx.net
www.motion-online.dk
www.patybanko.com
www.qaz22.com


Most Kollah variants save the file to %System%\wsnpoem\audio.dll. Some variants save it to:


%Profile%\LocalService\Application Data\wsnpoem\audio.dll
%Profile%\NetworkService\Application Data\wsnpoem\audio.dll


Note: %Profile% is a variable location and refers to the user's profile folder. The malware determines the location of the current Profile folder by querying the operating system. A typical location for this folder is C:\Documents and Settings\<username>.


The configuration file contains instructions regarding what kind of information to steal from the compromised machine (ie. URLs to intercept and/or monitor), and where to send the stolen information. The trojan saves any collected information to the file at %System%\wsnpoem\video.dll, then sends it to the C&C server.


Lowers Security Settings
Win32/Kollah variants turn off the firewall in Windows XP systems by modifying the registry entry below:


HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = 00000000


Modifies Registry
Kollah adds the following registry entry:


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "<computer name >_<random number>"


Deletes Cookies
Win32/Kollah deletes all cookies found in the Internet Explorer's URL cache.


Encrypts Files
Some Win32/Kollah variants encrypt files in a financial extortion attempt. The trojan searches the compromised machine for files it can encrypt. It targets files with the following file extensions:


.12m
.3ds
.3dx
.4ge
.4gl
.a86
.abc
.acd
.ace
.act
.ada
.adi
.aex
.af3
.afd
.ag4
.aif
.aifc
.aiff
.ain
.aio
.ais
.akf
.alv
.amp
.ans
.apa
.apo
.app
.arc
.arh
.arj
.arx
.asc
.asm
.ask
.bak
.bas
.bcb
.bcp
.bdb
.bib
.bpr
.bsa
.btr
.bup
.bwb
.bz2
.c86
.cac
.cbl
.cdb
.cdr
.cgi
.cmd
.cnt
.cob
.col
.cpp
.cpt
.crp
.cru
.csc
.css
.csv
.ctx
.cvs
.cwb
.cwk
.cxe
.cxx
.cyp
.db0
.db1
.db2
.db3
.db4
.dba,
.dbb
.dbc
.dbd
.dbe
.dbf
.dbk
.dbm
.dbo
.dbq
.dbt
.dbx
.dfm
.djvu
.dic
.dif
.dmd
.doc
.dok
.dot
.dox
.dsc
.dwg
.dxf
.dxr
.eps
.exp
.fas
.fax
.fdb
.fla
.flb
.frm
.fox
.frm
.frt
.frx
.fsl
.gtd
.gif
.gzip
.h
.hjt
.hog
.hpp
.htm
.html
.htx
.ice
.icf
.inc
.ish
.iso
.jar
.jad
.java
.jpg
.jpeg
.js
.jsp
.key
.kwm
.lst
.lwp
.lzh
.lzs
.lzw
.mak
.man
.maq
.mar
.mbx
.mdb
.mdf
.mid
.myd
.obj
.old
.p12
.pak
.pas
.pdf
.pem
.pfx
.php
.php3
.php4
.pgp
.pkr
.pm3
.pm4
.pm5
.pm6
.png
.ppt
.pps
.prf
.prx
.psd
.pst
.pwa
.pwl
.pwm
.pwp
.pxl
.rar
.res
.rle
.rmr
.rnd
.rtf
.safe
.sar
.skr
.sln
.swf
.sql
.tar
.tbb
.tex
.tga
.tgz
.tif
.tiff
.txt
.wps
.xcr
.xls
.xml
.zip


Win32/Kollah also creates the text file "read_me.txt" in affected directories. The file has the following content:



The encrypted files contains the keyword "GLAMOUR" as their file header.


Back to top

For additional information:

Win32/Kollah creates the mutex " __SYSTEM__<random number>__" to check its presence in the system.


Analysis by Zarestel Ferrer


Back to top

Buy

Buy CA Anti-Virus

Large Enterprise
Small and Medium Business
Home and Home Office

CA Global Security Advisor

Current threat condition: Low
Low
Documents and Tools
Find Threats
Viruses Spyware
Vulnerabilities All

Security Resources

Analyst Reports

Gartner Magic Quadrant for Web Access Management
More

Events

RSA Conference 2010
CA World 2010
More

Insights

On-Demand Webcasts

Operate Lean with CA Compliance Manager for z/OS
Analyst Webcast: Privileged User Access- Gaining Powerful Control of Powerful Users
More

Press

CA Enables Growth of Open Source for the Enterprise
CA Helps Secure Louisiana Rural Health Information Exchange

News

How to Improve Cloud Security in Your Enterprise
Cloud Security: Ten Questions to Ask Before You Jump In
More
 
 
Page Tools
ShareShare