WORM_CONE.C is a non-destructive worm that arrives as a .zip attachment to an email message. This worm also propagates via Kazaa peer-to-peer file sharing, by dropping a copy of itself in the shared directory of Kazaa. Its payload overwrites the HOSTS file of the infected system, and therefore, prevents the user of the infected system from accessing certain Web sites typically related to security and antivirus information. This malware runs on Windows NT and 2000.
WORM_CONE.C arrives as a .zip attachment to an email message, with one of the following 16 possible subject lines:
MAILER-DAEMON@%s
How cute is your credit card number!! 
)
E-mail account disabling warning for %s
RE: %s
i have your password
RE: Thank You!
RE: details (%s)
Password Reset For %s
Undelivered Mail Returned to Sender (%s)
about you
Your account (%s) will be closed
Your IP has been logged
Mail Delivery System (%s)
Mail Transaction Failed (%s)
IMPORTANT %s!
Confidential user information!
It then drops 6 .DLL files in the Windows/System32 directory, and creates registry entries that allow it to automatically execute at every Windows startup. It also drops a copy of itself using the filename WEBCHECK.PIF in the following folders:
Winnt\Profiles\All Users\Start menu\Programs\Startup\
WinME\Start Menu\Programs\Startup\
Win98\Start Menu\Programs\Startup\
Windows\Start Menu\Programs\Startup\
Documents and settings\ALL USERS\Start Menu\Programs\Startup\
To propagate via Kazaa, it drops a copy of itself in the Kazaa shared directory, using any of the following file names:
Strip Girls-part%d.scr
Sky lopez - Screensaver.scr
Playboy Screensaver Dec 2003.scr
This worm overwrites the HOSTS file found in the directory "%System%\drivers\etc" (where %System% is C:\WINNT\System32 on Windows NT and 2000). This action redirects the connection to the listed site, back to the local host or the infected system, thus denying the infected system access to the following Web sites:
www.symantec.com
securityresponse.symantec.com
symantec.com
www.sophos.com
sophos.com
www.mcafee.com
mcafee.com
liveupdate.symantecliveupdate.com
www.viruslist.com
viruslist.com
f-secure.com
www.f-secure.com
kaspersky.com
www.avp.com
www.kaspersky.com
avp.com
www.networkassociates.com
networkassociates.com
www.ca.com
ca.com
mast.mcafee.com
my-etrust.com
www.my-etrust.com
download.mcafee.com
dispatch.mcafee.com
secure.nai.com
nai.com
www.nai.com
microsoft.com
www.microsoft.com
support.microsoft.com
update.symantec.com
updates.symantec.com
us.mcafee.com
liveupdate.symantec.com
customer.symantec.com
rads.mcafee.com
trendmicro.com
www.trendmicro.com
If you would like to scan your computer for WORM_CONE.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com
WORM_CONE.C is detected and cleaned by Trend Micro pattern file #810 and above.
March 13th, 2004, 07:32 AM
WORM_CONE.C
