McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Colevo (AVP)

• Win32/Meve.a@MM (RAV)

Characteristics

-- Update July 8,2003 --
This threat has been downngraded to a Low-Profiled risk for Home users.

-- Update June 30,2003 --
This threat has been upgraded to a Medium risk for Home users only. Due to the nature of the virus, Corporate users are at a reduced risk of infection.

W32/Colevo@MM is a mass-mailing worm, which harvest MSN Messenger contact addresses.

It launches Internet Explorer and connects to various news websites, displaying images of Bolivian Aymara Indian leader Evo Morales. The websites it connects to are as follows:

• http://jeremybigwood.net
• http://news.bbc.co.uk
• http://www.commondreams.org/headlines/images/100700-01.jpg
• http://www-ni.laprensa.com.ni
• http://www.soc.uu.se
• http://www.cannabisculture.com
• http://www.chilevive.cl
• http://membres.lycos.fr
• http://news.bbc.co.uk
• http://www.movimientos.org

When run, the worm copies itself to %WINDIR% directory with the following filenames:

• All Users.exe
• command.exe
• Hot Girl.scr
• hotmailpass.exe
• Inf.exe
• Internet Download                        .exe
• Internet File.exe
• Part Hard Disk.exe
• Shell.exe
• system.exe
• system32.exe
• system64.pif
• Temp.exe

It copies itself to the %SYSDIR% using the following filenames:

• Inf.exe
• net.com
• www.microsoft.com

Strings in the body of the virus suggests that it connects to a Hotmail SMTP server and mails itself to contacts found in MSN Messenger cache. The email appears in the following format:

Subject: El adelanto de matrix ta gueno‼
Body: Pablo_Hack
Oye te U paso el programa para entrar a cuentas del messenger, y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya?Respondeme que tal te parecio. chau‼

Attachment: hotmailpass.exe

The virus also leaves several TCP ports open on the infected system, allowing the hacker to control the machine remotely. Port numbers that were observed to be opened include 1168, 1169, 1170 and 2536.

Symptoms

Presence of the above files. It creates the following registry keys in order to load itself at Windows start up:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "System"=%WinDir%\system.exe
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run\1\2\3\4 "System"=%WinDir%\system.exe
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  RunSevices "System"=%WinDir%\system.exe
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  RunSevicesOnce "System"=%WinDir%\temp.exe
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "System"=%WinDir%\system.exe
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\1\2\3\4 "System"=%WinDir%\temp.exe
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunSevices "System"=%WinDir%\commands.com
  

The virus also modifies the following registry keys so that the worm gets executed everytime an associated file extension runs.

• HKEY_CLASSES_ROOT\exefile "NeverShowExt"=
  (Hides the file extension of executables)
  
• HKEY_CLASSES_ROOT\batfile\shell\open\command
  "(Default)" = "%WinDir%\temp.exe", "%1" %*
  
• HKEY_CLASSES_ROOT\comfile\shell\open\command
  "(Default)" = "%WinDir\Inf.exe", "%1" %*
  
• HKEY_CLASSES_ROOT\exefile\shell\open\command
  "(Default)" = "%WinDir%\command.exe", "%1" %*
  
• HKEY_CLASSES_ROOT\htafile\Shell\Open\Command
  "(Default)" = "%WinDir%"\commands.com", "%1" %*
  
• HKEY_CLASSES_ROOT\piffile\shell\open\command
  "(Default)" = "%WinDir%\commands.com", "%1" %*

Note: The file COMMANDS.COM was not dropped on the system in testing. Certain Registry hooks described above are therefore redundant with respect to launching the worm.

The system.ini file is modified to load the worm on startup:

[boot] "Shell" = explorer.exe temp.exe

The following keys were added to the win.ini file:

[windows] "load" =archivo.exe
[windows] "run"= archivo.exe

These keys were added multiple times (upon reboot) in testing, leading to win.ini and system.ini files with multiple keys inserted.

The following key was deleted:

[windows] "NullPort"

The following comment was also inserted into the WIN.INI file:

Method of Infection

The virus arrives in an email message and the user is infected upon execution the file.

The virus uses an icon almost identical to that associated with folders within the Windows environment. Coupled with suppression of the display of the filename extension, this increases the possibility of a user inadvertently executing the virus.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Colevo (AVP)

• Win32/Meve.a@MM (RAV)

Characteristics

Characteristics -

-- Update July 8,2003 --
This threat has been downngraded to a Low-Profiled risk for Home users.

-- Update June 30,2003 --
This threat has been upgraded to a Medium risk for Home users only. Due to the nature of the virus, Corporate users are at a reduced risk of infection.

W32/Colevo@MM is a mass-mailing worm, which harvest MSN Messenger contact addresses.

It launches Internet Explorer and connects to various news websites, displaying images of Bolivian Aymara Indian leader Evo Morales. The websites it connects to are as follows:

• http://jeremybigwood.net
• http://news.bbc.co.uk
• http://www.commondreams.org/headlines/images/100700-01.jpg
• http://www-ni.laprensa.com.ni
• http://www.soc.uu.se
• http://www.cannabisculture.com
• http://www.chilevive.cl
• http://membres.lycos.fr
• http://news.bbc.co.uk
• http://www.movimientos.org

When run, the worm copies itself to %WINDIR% directory with the following filenames:

• All Users.exe
• command.exe
• Hot Girl.scr
• hotmailpass.exe
• Inf.exe
• Internet Download                        .exe
• Internet File.exe
• Part Hard Disk.exe
• Shell.exe
• system.exe
• system32.exe
• system64.pif
• Temp.exe

It copies itself to the %SYSDIR% using the following filenames:

• Inf.exe
• net.com
• www.microsoft.com

Strings in the body of the virus suggests that it connects to a Hotmail SMTP server and mails itself to contacts found in MSN Messenger cache. The email appears in the following format:

Subject: El adelanto de matrix ta gueno‼
Body: Pablo_Hack
Oye te U paso el programa para entrar a cuentas del messenger, y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya?Respondeme que tal te parecio. chau‼

Attachment: hotmailpass.exe

The virus also leaves several TCP ports open on the infected system, allowing the hacker to control the machine remotely. Port numbers that were observed to be opened include 1168, 1169, 1170 and 2536.

Symptoms

Symptoms -

Presence of the above files. It creates the following registry keys in order to load itself at Windows start up:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "System"=%WinDir%\system.exe
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run\1\2\3\4 "System"=%WinDir%\system.exe
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  RunSevices "System"=%WinDir%\system.exe
  
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  RunSevicesOnce "System"=%WinDir%\temp.exe
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "System"=%WinDir%\system.exe
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\1\2\3\4 "System"=%WinDir%\temp.exe
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunSevices "System"=%WinDir%\commands.com
  

The virus also modifies the following registry keys so that the worm gets executed everytime an associated file extension runs.

• HKEY_CLASSES_ROOT\exefile "NeverShowExt"=
  (Hides the file extension of executables)
  
• HKEY_CLASSES_ROOT\batfile\shell\open\command
  "(Default)" = "%WinDir%\temp.exe", "%1" %*
  
• HKEY_CLASSES_ROOT\comfile\shell\open\command
  "(Default)" = "%WinDir\Inf.exe", "%1" %*
  
• HKEY_CLASSES_ROOT\exefile\shell\open\command
  "(Default)" = "%WinDir%\command.exe", "%1" %*
  
• HKEY_CLASSES_ROOT\htafile\Shell\Open\Command
  "(Default)" = "%WinDir%"\commands.com", "%1" %*
  
• HKEY_CLASSES_ROOT\piffile\shell\open\command
  "(Default)" = "%WinDir%\commands.com", "%1" %*

Note: The file COMMANDS.COM was not dropped on the system in testing. Certain Registry hooks described above are therefore redundant with respect to launching the worm.

The system.ini file is modified to load the worm on startup:

[boot] "Shell" = explorer.exe temp.exe

The following keys were added to the win.ini file:

[windows] "load" =archivo.exe
[windows] "run"= archivo.exe

These keys were added multiple times (upon reboot) in testing, leading to win.ini and system.ini files with multiple keys inserted.

The following key was deleted:

[windows] "NullPort"

The following comment was also inserted into the WIN.INI file:

Method of Infection

Method of Infection -

The virus arrives in an email message and the user is infected upon execution the file.

The virus uses an icon almost identical to that associated with folders within the Windows environment. Coupled with suppression of the display of the filename extension, this increases the possibility of a user inadvertently executing the virus.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A