How to Prevent and Remove the Packed.Win32.Black.a

How to Prevent and Remove the Net-Worm.Win32.Kolab.lsq

1. What is the Net-Worm.Win32.Kolab.lsq

Net-Worm.Win32.Kolab.lsq is a network-aware computer worm that will attempt to replicate across an existing network. Net-Worm.Win32.Kolab.lsq also spreads using Windows networking APIs, MAPI functions or email clients such as Microsoft Outlook. Net-Worm.Win32.Kolab.lsq creates unknown email messages with corrupt attachments and sometimes attaches itself to outgoing email messages. Net-Worm.Win32.Kolab.lsq also uses a misleading message which suggests that the recipient should open the attachment to see something interesting or important. Net-Worm.Win32.Kolab.lsq should not be trusted and must be removed from the infected system once detected.

Alias: Backdoor:Win32/IRCbot.gen!K [Microsoft];Win32/Kolab.worm.294979 [AhnLab]

2.Technical Details:

a. The following files were created in the system:

No.	Filename	Size
1	%Windir%\nigzss.txt	0 bytes
2	[file and pathname of the sample #1] %Windir%\usbmgr.exe	294,979 bytes

Note:
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

b. Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
usbmgr.exe	%Windir%\usbmgr.exe	368,640 bytes

The following system service was modified:

Service Name	Display Name	New Status	Service Filename
wscsvc	Security Center	"Stopped"	%System%\svchost.exe -k netsvcs

Notes:
- %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

c. Registry Modifications

The newly created Registry Value is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- Universal Serial Bus device = "usbmgr.exe"
so that usbmgr.exe runs every time Windows starts

c. Other details

The following ports were open in the system:

Port	Protocol	Process
1051	TCP	usbmgr.exe (%Windir%\usbmgr.exe)
1053	TCP	usbmgr.exe (%Windir%\usbmgr.exe)
1054	TCP	usbmgr.exe (%Windir%\usbmgr.exe)

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
72.233.89.199	80
91.198.22.71	80
78.84.173.243	9595

The data identified by the following URLs was then requested from the remote web server:
- http://www.whatismyip.com/
- http://checkip.dyndns.org/

3. How-to's

a. How to prevent the Net-Worm.Win32.Kolab.lsq ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Net-Worm.Win32.Kolab.lsq Manually?

Step 1 : Use Windows Task Manager to Remove Net-Worm.Win32.Kolab.lsq Processes

usbmgr.exe

Step 2 : Use Registry Editor to Remove Net-Worm.Win32.Kolab.lsq Registry Values
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Universal Serial Bus device = "usbmgr.exe"

Step3: Detect and Delete Other Net-Worm.Win32.Kolab.lsq Files

%Windir%\nigzss.txt
[file and pathname of the sample #1]
%Windir%\usbmgr.exe

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm