WORM_CONE.C

Discussion in 'malware problems & news' started by Randy_Bell, Mar 13, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell
    Offline

    Randy_Bell Registered Member

    WORM_CONE.C is a non-destructive worm that arrives as a .zip attachment to an email message. This worm also propagates via Kazaa peer-to-peer file sharing, by dropping a copy of itself in the shared directory of Kazaa. Its payload overwrites the HOSTS file of the infected system, and therefore, prevents the user of the infected system from accessing certain Web sites typically related to security and antivirus information. This malware runs on Windows NT and 2000.

    WORM_CONE.C arrives as a .zip attachment to an email message, with one of the following 16 possible subject lines:

    • MAILER-DAEMON@%s
      How cute is your credit card number!! :))
      E-mail account disabling warning for %s
      RE: %s
      i have your password :)
      RE: Thank You!
      RE: details (%s)
      Password Reset For %s
      Undelivered Mail Returned to Sender (%s)
      about you
      Your account (%s) will be closed
      Your IP has been logged
      Mail Delivery System (%s)
      Mail Transaction Failed (%s)
      IMPORTANT %s!
      Confidential user information!
    It then drops 6 .DLL files in the Windows/System32 directory, and creates registry entries that allow it to automatically execute at every Windows startup. It also drops a copy of itself using the filename WEBCHECK.PIF in the following folders:

    • Winnt\Profiles\All Users\Start menu\Programs\Startup\
      WinME\Start Menu\Programs\Startup\
      Win98\Start Menu\Programs\Startup\
      Windows\Start Menu\Programs\Startup\
      Documents and settings\ALL USERS\Start Menu\Programs\Startup\
    To propagate via Kazaa, it drops a copy of itself in the Kazaa shared directory, using any of the following file names:

    • Strip Girls-part%d.scr
      Sky lopez - Screensaver.scr
      Playboy Screensaver Dec 2003.scr
    This worm overwrites the HOSTS file found in the directory "%System%\drivers\etc" (where %System% is C:\WINNT\System32 on Windows NT and 2000). This action redirects the connection to the listed site, back to the local host or the infected system, thus denying the infected system access to the following Web sites:

    • www.symantec.com
      securityresponse.symantec.com
      symantec.com
      www.sophos.com
      sophos.com
      www.mcafee.com
      mcafee.com
      liveupdate.symantecliveupdate.com
      www.viruslist.com
      viruslist.com
      f-secure.com
      www.f-secure.com
      kaspersky.com
      www.avp.com
      www.kaspersky.com
      avp.com
      www.networkassociates.com
      networkassociates.com
      www.ca.com
      ca.com
      mast.mcafee.com
      my-etrust.com
      www.my-etrust.com
      download.mcafee.com
      dispatch.mcafee.com
      secure.nai.com
      nai.com
      www.nai.com
      microsoft.com
      www.microsoft.com
      support.microsoft.com
      update.symantec.com
      updates.symantec.com
      us.mcafee.com
      liveupdate.symantec.com
      customer.symantec.com
      rads.mcafee.com
      trendmicro.com
      www.trendmicro.com
    If you would like to scan your computer for WORM_CONE.C or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_CONE.C is detected and cleaned by Trend Micro pattern file #810 and above.
  2. Randy_Bell
    Offline

    Randy_Bell Registered Member

    Related:W32.Cone.D@mm

    {Symantec} W32.Cone.D@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it gathers from the files on an infected computer.

    The email attachment will have a .exe or .zip file extension.

    This threat is written in Microsoft Visual C++ and is compressed with UPX.
Thread Status:
Not open for further replies.