W32/Coronex-A

Discussion in 'malware problems & news' started by FanJ, Apr 23, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    http://www.sophos.com/virusinfo/analyses/w32coronexa.html
    [hr]
    W32/Coronex-A Aliases: I-Worm.Coronex

    Type
    Win32 worm

    Description
    W32/Coronex-A is an internet worm which emails itself to every contact in the Windows address book.

    The email characteristics vary depending upon the current day of the week, as follows:

    ---snip by FanJ (see that Sophos page !)---


    When first run, the worm displays a message box with the text "SARS Virus, corona virus", copies itself to the Windows folder as Corona.exe and creates the following registry entry so that corona.exe is run automatically each time Windows is started:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PC-Config32
    = %WINDOWS%\corona.exe -A

    The worm copies itself to the C:\My Downloads folder using 1 of the 24 filenames listed below, depending upon the current hour of the day:

    Age Of Mythology.exe
    Battlefield 1942 (full).exe
    Black Hawk Down (full).exe
    Command & Conquer: Generals.exe
    Cossacks Full Version.exe
    Dark Age of Camelot.exe
    Doom 3.exe
    Grand Theft Auto 3 (full).exe
    Jedi Knight II.exe
    Master Of Orion 3.exe
    Medel Of Honor: Allied Assault.exe
    Oni full.exe
    Quake 3 Full Version.exe
    Rainbow 6 Full.exe
    Return to Castle Wolfenstien (Full).exe
    Starcraft full.exe
    The Lord of the Rings.exe
    The Sims: Unleashed.exe
    Tribes 2 (full).exe
    Ultima Online.exe
    Unreal 2: The Awakening (full).exe
    Unreal.exe
    Warcraft III Full.exe
    White and Black.exe

    When run with a -A command line switch (i.e. on startup), the worm runs continuously in the background and emails itself when the time is 1 minute past any hour.

    The worm also changes the start page for Microsoft Internet Explorer by setting the registry entry

    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
    ---deleted by FanJ---
     
    FanJ, Apr 23, 2003
    #1
  2. FanJ

    FanJ Guest

    http://www.sarc.com/avcenter/venc/data/w32.coronex@mm.html

    You will have to copy and paste the link because of the @.


    With thanks to Pieter ! ;)
     
    FanJ, Apr 23, 2003
    #2
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    spy1, Apr 23, 2003
    #3
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...