Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Dec 15, 2009 | Updated Sep 15, 2017

Worm:Win32/Kolabc.C

Detected by Microsoft Defender Antivirus

Aliases: Exploit:Win32/MS06040.gen (Microsoft) Exploit:Win32/MS08067.gen!A (Microsoft) Exploit:Win32/RpcDcom.gen!MS03-039 (Microsoft) Exploit:Win32/ShellCode.gen!A (Microsoft) Backdoor:Win32/IRCbot.gen!M (Microsoft) W32/Kolab.X (Command) Backdoor.Bot.109216 (BitDefender) Win32.HLLW.Piabot.4 (Dr.Web) Win32/Hatob.E (ESET) Net-Worm.Win32.Kolabc.hki (Kaspersky) W32/Malware.JJGL (Norman) W32/Gaobot.QKW.worm (Panda) W32.Spybot.Worm (Symantec) WORM_KOLABC.FY (Trend Micro) Worm.Kolabc.AZM (VirusBuster)

Summary

Worm:Win32/Kolabc.C is a worm that can spread to removable drives and to other networked computers by exploiting vulnerabilities described in Microsoft Security Bulletins MS03-039, MS06-040 and MS08-067. The worm contains backdoor functionality that allows an attacker remote access and control of the infected computer.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
 
This threat may make lasting changes to an affected system’s configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following article/s.
 
Reset system security settings to default
Reset the system security settings to their default values.
 
Enable Distributed COM (DCOM)
The worm may disable Distributed COM (DCOM) on the infected computer. The following link discusses how to disable and enable DCOM using the Windows utility DCOMCNFG.EXE: http://support.microsoft.com/kb/825750. Alternatively, use the following instructions to enable DCOM:
  1. Run Dcomcnfg.exe.
  2. If you are running Windows XP or Windows Server 2003, perform these additional steps:
    1. Click the Component Services node under Console Root.
    2. Open the Computers folder.
    3. For the local computer, right-click My Computer, and then click Properties.
    4. For a remote computer, right-click Computers folder, point to New, and then click Computer.
    5. Type the computer name.
    6. Right-click the computer name, and then click Properties.
  3. Click the Default Properties tab.
  4. Click to select the Enable Distributed COM on this Computer check box.
  5. If you want to set more properties for the computer, click Apply to enable (or disable) DCOM. Otherwise, click OK to apply the changes and quit Dcomcnfg.exe.
  6. Restart the operating system for the changes to take effect.
 
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
Follow us