WORM_CONE.C

WORM_CONE.C is a non-destructive worm that arrives as a .zip attachment to an email message. This worm also propagates via Kazaa peer-to-peer file sharing, by dropping a copy of itself in the shared directory of Kazaa. Its payload overwrites the HOSTS file of the infected system, and therefore, prevents the user of the infected system from accessing certain Web sites typically related to security and antivirus information. This malware runs on Windows NT and 2000.

WORM_CONE.C arrives as a .zip attachment to an email message, with one of the following 16 possible subject lines:

• 
  MAILER-DAEMON@%s
  How cute is your credit card number!! )
  E-mail account disabling warning for %s
  RE: %s
  i have your password
  RE: Thank You!
  RE: details (%s)
  Password Reset For %s
  Undelivered Mail Returned to Sender (%s)
  about you
  Your account (%s) will be closed
  Your IP has been logged
  Mail Delivery System (%s)
  Mail Transaction Failed (%s)
  IMPORTANT %s!
  Confidential user information!

It then drops 6 .DLL files in the Windows/System32 directory, and creates registry entries that allow it to automatically execute at every Windows startup. It also drops a copy of itself using the filename WEBCHECK.PIF in the following folders:

• 
  Winnt\Profiles\All Users\Start menu\Programs\Startup\
  WinME\Start Menu\Programs\Startup\
  Win98\Start Menu\Programs\Startup\
  Windows\Start Menu\Programs\Startup\
  Documents and settings\ALL USERS\Start Menu\Programs\Startup\

To propagate via Kazaa, it drops a copy of itself in the Kazaa shared directory, using any of the following file names:

• 
  Strip Girls-part%d.scr
  Sky lopez - Screensaver.scr
  Playboy Screensaver Dec 2003.scr

This worm overwrites the HOSTS file found in the directory "%System%\drivers\etc" (where %System% is C:\WINNT\System32 on Windows NT and 2000). This action redirects the connection to the listed site, back to the local host or the infected system, thus denying the infected system access to the following Web sites:

• 
  www.symantec.com
  securityresponse.symantec.com
  symantec.com
  www.sophos.com
  sophos.com
  www.mcafee.com
  mcafee.com
  liveupdate.symantecliveupdate.com
  www.viruslist.com
  viruslist.com
  f-secure.com
  www.f-secure.com
  kaspersky.com
  www.avp.com
  www.kaspersky.com
  avp.com
  www.networkassociates.com
  networkassociates.com
  www.ca.com
  ca.com
  mast.mcafee.com
  my-etrust.com
  www.my-etrust.com
  download.mcafee.com
  dispatch.mcafee.com
  secure.nai.com
  nai.com
  www.nai.com
  microsoft.com
  www.microsoft.com
  support.microsoft.com
  update.symantec.com
  updates.symantec.com
  us.mcafee.com
  liveupdate.symantec.com
  customer.symantec.com
  rads.mcafee.com
  trendmicro.com
  www.trendmicro.com

If you would like to scan your computer for WORM_CONE.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_CONE.C is detected and cleaned by Trend Micro pattern file #810 and above.

 

Related:W32.Cone.D@mm

{Symantec} W32.Cone.D@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it gathers from the files on an infected computer.

The email attachment will have a .exe or .zip file extension.

This threat is written in Microsoft Visual C++ and is compressed with UPX.