http://www.sophos.com/virusinfo/analyses/w32coronexa.html [hr] W32/Coronex-A Aliases: I-Worm.Coronex Type Win32 worm Description W32/Coronex-A is an internet worm which emails itself to every contact in the Windows address book. The email characteristics vary depending upon the current day of the week, as follows: ---snip by FanJ (see that Sophos page !)--- When first run, the worm displays a message box with the text "SARS Virus, corona virus", copies itself to the Windows folder as Corona.exe and creates the following registry entry so that corona.exe is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PC-Config32 = %WINDOWS%\corona.exe -A The worm copies itself to the C:\My Downloads folder using 1 of the 24 filenames listed below, depending upon the current hour of the day: Age Of Mythology.exe Battlefield 1942 (full).exe Black Hawk Down (full).exe Command & Conquer: Generals.exe Cossacks Full Version.exe Dark Age of Camelot.exe Doom 3.exe Grand Theft Auto 3 (full).exe Jedi Knight II.exe Master Of Orion 3.exe Medel Of Honor: Allied Assault.exe Oni full.exe Quake 3 Full Version.exe Rainbow 6 Full.exe Return to Castle Wolfenstien (Full).exe Starcraft full.exe The Lord of the Rings.exe The Sims: Unleashed.exe Tribes 2 (full).exe Ultima Online.exe Unreal 2: The Awakening (full).exe Unreal.exe Warcraft III Full.exe White and Black.exe When run with a -A command line switch (i.e. on startup), the worm runs continuously in the background and emails itself when the time is 1 minute past any hour. The worm also changes the start page for Microsoft Internet Explorer by setting the registry entry HKCU\Software\Microsoft\Internet Explorer\Main\Start Page ---deleted by FanJ---
http://www.sarc.com/avcenter/venc/data/w32.coronex@mm.html You will have to copy and paste the link because of the @. With thanks to Pieter !
Hmm. Had to go to this page: http://securityresponse.symantec.com/ and then click on the Coronex entry under "Latest virus threats" to get it to work.