WORM_CONE.C is a non-destructive worm that arrives as a .zip attachment to an email message. This worm also propagates via Kazaa peer-to-peer file sharing, by dropping a copy of itself in the shared directory of Kazaa. Its payload overwrites the HOSTS file of the infected system, and therefore, prevents the user of the infected system from accessing certain Web sites typically related to security and antivirus information. This malware runs on Windows NT and 2000. WORM_CONE.C arrives as a .zip attachment to an email message, with one of the following 16 possible subject lines: MAILER-DAEMON@%s How cute is your credit card number!! ) E-mail account disabling warning for %s RE: %s i have your password RE: Thank You! RE: details (%s) Password Reset For %s Undelivered Mail Returned to Sender (%s) about you Your account (%s) will be closed Your IP has been logged Mail Delivery System (%s) Mail Transaction Failed (%s) IMPORTANT %s! Confidential user information! It then drops 6 .DLL files in the Windows/System32 directory, and creates registry entries that allow it to automatically execute at every Windows startup. It also drops a copy of itself using the filename WEBCHECK.PIF in the following folders: Winnt\Profiles\All Users\Start menu\Programs\Startup\ WinME\Start Menu\Programs\Startup\ Win98\Start Menu\Programs\Startup\ Windows\Start Menu\Programs\Startup\ Documents and settings\ALL USERS\Start Menu\Programs\Startup\ To propagate via Kazaa, it drops a copy of itself in the Kazaa shared directory, using any of the following file names: Strip Girls-part%d.scr Sky lopez - Screensaver.scr Playboy Screensaver Dec 2003.scr This worm overwrites the HOSTS file found in the directory "%System%\drivers\etc" (where %System% is C:\WINNT\System32 on Windows NT and 2000). This action redirects the connection to the listed site, back to the local host or the infected system, thus denying the infected system access to the following Web sites: www.symantec.com securityresponse.symantec.com symantec.com www.sophos.com sophos.com www.mcafee.com mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com f-secure.com www.f-secure.com kaspersky.com www.avp.com www.kaspersky.com avp.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com my-etrust.com www.my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com www.nai.com microsoft.com www.microsoft.com support.microsoft.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com www.trendmicro.com If you would like to scan your computer for WORM_CONE.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_CONE.C is detected and cleaned by Trend Micro pattern file #810 and above.