Content

W32/Coronex.worm.b

Type
-
SubType
-
Discovery Date
04/24/2003
Length
12,288 bytes
Minimum DAT
4260 (04/30/2003)
Updated DAT
4260 (04/30/2003)
Minimum Engine
5.1.00
Description Added
04/24/2003
Description Modified
05/08/2003 4:47 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a mass-mailing worm, which simply spreads via email. It does not contain a destructive payload. The worm sends itself to all addresses in the Windows address book.

Please note: This worm is detected as W32/Coronex.worm.gen with the 4260 Dats and above.

It arrives as an email attachment. The message may be one of the following:

From: virus@nai.com
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@symantec.com
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@antivirus.com
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@mcafee
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@avp.ru
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@rav.com
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@drweb.com
Subject: virus
Message: virus
Attachment: virus.exe

When the attachment is executed, the worm will perform the following actions:

  • It drops a copy of itself in the %WINDIR% directory.
  • Displays a message box.

    [new virus: virus]

  • Creates a key to run itself during startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "PC-Config32" = C:\%WINDIR%\virus.exe -A

  • Changes the default browser start page:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Start Page" = http://www.bitdefender.com

  • Looks for "C:\My Downloads" and drops a copy of itself there using one of the following filenames (randomly chosen):
    • Cossacks Full Version.exe
    • Cossacks Full Version.exe
    • Battlefield 1942 (full).exe
    • Warcraft III Full.exe
    • Jedi Knight II.exe
    • Quake 3 Full Version.exe
    • Starcraft full.exe
    • Doom 3.exe
    • Tribes 2 (full).exe
    • Rainbow 6 Full.exe
    • Oni full.exe
    • White and Black.exe
    • Return to Castle Wolfenstien (Full).exe
    • Command & Conquer: Generals.exe
    • Black HawkDown (full).exe
    • The Sims: Unleashed.exe
    • Age Of Mythology.exe
    • Dark Age of Camelot.exe
    • Ultima Online.exe
    • The Lord of the Rings.exe
    • Medel of Honor: Allied Assualt.exe
    • Grand Theft Auto 3 (full).exe
    • Unreal 2: The Awakening (full).exe
    • Unreal.exe
    • Master Of Orion.exe

    Please note: The copies of the worm may vary in file size due to garbage being appended to the end of the file. The virus may also attempt to drop a zero byte file in the same directory that it was executed.

  • Mails itself to addresses listed in the Windows address book. The worm uses its own SMTP engine to construct the aforementioned messages.

Symptoms

Presence of the files and registry keys detailed above.

Method of Infection

When executed, the worm propagates itself to all addresses found in the Windows address book using its own SMTP engine. The worm copies itself to the %WINDIR% folder, modifying the Registry to run this copy at subsequent startup.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

Aliases

  • I-Worm.Coronex.b (AVP)
  • W32/Coronex.worm.gen

Characteristics

Characteristics -

This is a mass-mailing worm, which simply spreads via email. It does not contain a destructive payload. The worm sends itself to all addresses in the Windows address book.

Please note: This worm is detected as W32/Coronex.worm.gen with the 4260 Dats and above.

It arrives as an email attachment. The message may be one of the following:

From: virus@nai.com
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@symantec.com
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@antivirus.com
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@mcafee
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@avp.ru
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@rav.com
Subject: virus
Message: virus
Attachment: virus.exe

From: virus@drweb.com
Subject: virus
Message: virus
Attachment: virus.exe

When the attachment is executed, the worm will perform the following actions:

  • It drops a copy of itself in the %WINDIR% directory.
  • Displays a message box.

    [new virus: virus]

  • Creates a key to run itself during startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "PC-Config32" = C:\%WINDIR%\virus.exe -A

  • Changes the default browser start page:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Start Page" = http://www.bitdefender.com

  • Looks for "C:\My Downloads" and drops a copy of itself there using one of the following filenames (randomly chosen):
    • Cossacks Full Version.exe
    • Cossacks Full Version.exe
    • Battlefield 1942 (full).exe
    • Warcraft III Full.exe
    • Jedi Knight II.exe
    • Quake 3 Full Version.exe
    • Starcraft full.exe
    • Doom 3.exe
    • Tribes 2 (full).exe
    • Rainbow 6 Full.exe
    • Oni full.exe
    • White and Black.exe
    • Return to Castle Wolfenstien (Full).exe
    • Command & Conquer: Generals.exe
    • Black HawkDown (full).exe
    • The Sims: Unleashed.exe
    • Age Of Mythology.exe
    • Dark Age of Camelot.exe
    • Ultima Online.exe
    • The Lord of the Rings.exe
    • Medel of Honor: Allied Assualt.exe
    • Grand Theft Auto 3 (full).exe
    • Unreal 2: The Awakening (full).exe
    • Unreal.exe
    • Master Of Orion.exe

    Please note: The copies of the worm may vary in file size due to garbage being appended to the end of the file. The virus may also attempt to drop a zero byte file in the same directory that it was executed.

  • Mails itself to addresses listed in the Windows address book. The worm uses its own SMTP engine to construct the aforementioned messages.

Symptoms

Symptoms -

Presence of the files and registry keys detailed above.

Method of Infection

Method of Infection -

When executed, the worm propagates itself to all addresses found in the Windows address book using its own SMTP engine. The worm copies itself to the %WINDIR% folder, modifying the Registry to run this copy at subsequent startup.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A