is a non-destructive worm that arrives as a .zip attachment to an email message. This worm also propagates via Kazaa peer-to-peer file sharing, by dropping a copy of itself in the shared directory of Kazaa. Its payload overwrites the HOSTS file of the infected system, and therefore, prevents the user of the infected system from accessing certain Web sites typically related to security and antivirus information. This malware runs on Windows NT and 2000.
WORM_CONE.C arrives as a .zip attachment to an email message, with one of the following 16 possible subject lines:
How cute is your credit card number!! )
E-mail account disabling warning for %s
i have your password
RE: Thank You!
RE: details (%s)
Password Reset For %s
Undelivered Mail Returned to Sender (%s)
Your account (%s) will be closed
Your IP has been logged
Mail Delivery System (%s)
Mail Transaction Failed (%s)
Confidential user information!
It then drops 6 .DLL files in the Windows/System32 directory, and creates registry entries that allow it to automatically execute at every Windows startup. It also drops a copy of itself using the filename WEBCHECK.PIF in the following folders:
Winnt\Profiles\All Users\Start menu\Programs\Startup\
Documents and settings\ALL USERS\Start Menu\Programs\Startup\
To propagate via Kazaa, it drops a copy of itself in the Kazaa shared directory, using any of the following file names:
Sky lopez - Screensaver.scr
Playboy Screensaver Dec 2003.scr
This worm overwrites the HOSTS file found in the directory "%System%\drivers\etc" (where %System% is C:\WINNT\System32 on Windows NT and 2000). This action redirects the connection to the listed site, back to the local host or the infected system, thus denying the infected system access to the following Web sites:
If you would like to scan your computer for WORM_CONE.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com
is detected and cleaned by Trend Micro pattern file #810 and above.