Content
W32/Cone@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 02/23/2004
- Length
- 17,920 bytes
- Minimum DAT
- 4328 (02/25/2004)
- Updated DAT
- 4333 (03/03/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 02/22/2004
- Description Modified
- 05/11/2004 5:35 AM (PT)
Tab Navigation
Characteristics
This mass mailing worm has been proactively detected as "virus or variant of New Malware-b" with the 4.2.40 engine and 4309 DAT combination (or greater) since 12/17/2003 with heuristics enabled.
Emailing Component
The worm sends itself out as a base64 encoded attachment, contains the following information:
From: (spoofed name)@yahoo.com
Subject:
- WARNING: %s, WHY YOU TRY TO HACK OUR WEBSITE?
- I WILL KILL %s
- Mail Transaction Failed (%s)
- Mail Delivery System (%s)
- %s, What you have to say?
- Your account (%s) will be closed
- BREAKING NEWS: US begin the war against IRAN!
- Undelivered Mail Returned to Sender (%s)
- Password Reset For %s
- Re: Details (%s)
- Thank You %s!
- news@bbc.co.uk
- MAILER-DAEMON@%s
- WE COULD NOT OPEN THE ATTACHMENT!!!
Body:
| Hi Melinda,see my gift for your birthday ;-) call me and say what you think about it? Love,Bill |
| The message contains Unicode characters and has been sent as an attachment (in binary). |
| The message contains Unicode characters and has been sent as an attachment (in binary). |
| WARNING:This message contains (attached) users personal data and you may not use it for personal use, remember that you accept the agreement, and you are responsible for any kind of misuse of the users personal data. |
| we can't find anything usefull in your attachment See the attached file for details |
| What you think? you are just a piece of shit! |
Attachment (varies and may be in *.zip archive file):
- text22F1.exe
- document.scr
- untitled.exe
- CA112732.exe
Kazaa Propagation
The worm retrieves the location of the download directory of Kazaa from the registry key:
- HKEY_LOCAL_MACHINE\Software\Kazaa\LocalContent "DownloadDir"
It then copies itself to /Recieved folder using the following filenames:
- Screensaver-Hot Girls-part%d.scr
- Winamp5.01.exe
- BAD-GIRLS(Playboy)-ScreenSaver.scr
- Playboy-Screensaver-Nov-03.scr
Redirection To Prevent Access
The worm overwrites the local hosts file to prevent infected computers from accessing specific sites (listed below). The sites below will be redirected to IP address 127.0.0.1. AVERT recommends updating to the 4327 dat files as soon as possible, so that your computer may continue to access NAI and other important sites for future updates.
- localhost
- www.trendmicro.com
- trendmicro.com
- rads.mcafee.com
- customer.symantec.com
- liveupdate.symantec.com
- us.mcafee.com
- updates.symantec.com
- update.symantec.com
- support.microsoft.com
- www.microsoft.com
- microsoft.com
- www.nai.com nai.com
- secure.nai.com
- dispatch.mcafee.com
- download.mcafee.com
- www.my-etrust.com
- my-etrust.com
- mast.mcafee.com
- ca.com
- www.ca.com
- networkassociates.com
- www.networkassociates.com
- avp.com
- www. kaspersky.com
- www.avp.com
- kaspersky.com
- www.f-secure.com
- f-secure.com
- viruslist.com
- www.viruslist.com
- liveupdate.symantecliveupdate.com
- mcafee.com
- www.mcafee.com
- sophos.com
- www.sophos.com
- symantec.com
- securityresponse.symantec.com
- www.symantec.com
Symptoms
A notepad document containing the following is shown :
The worm drops several DLLs in the %SYSDIR% directory. Some of the dlls are 0 bytes or contain the virus body:
- 1seml.dll
- 1check.dll
- 1eml.dll
- 1url.dll
- 1vis.dll
- 1http.dll
- 1enel.dll
The following registry key is createdto run the worm at startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Windows Services Host"
= C:\windows\svchost.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Windows Services Host"
= C:\windows\svchost.exe
The worm also drops a file C:\cyclone.txt containing the following information :
Method of Infection
This worm sends itself using its own SMTP engine to users in Microsoft Address Book. It also harvests email addresses from files containing the following extensions: [.DBX .MBX .WAB .HTML .EML .HTM .ASP .SHTML .TXT].
The worm guesses the recipient email server, prepending the target domain name with the following strings:
- mx.
- mx1
- mail.
- smtp.
- gate
- mail1.
- relay.
- ns.
It avoids addresses containing the following strings
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This mass mailing worm has been proactively detected as "virus or variant of New Malware-b" with the 4.2.40 engine and 4309 DAT combination (or greater) since 12/17/2003 with heuristics enabled.
Emailing Component
The worm sends itself out as a base64 encoded attachment, contains the following information:
From: (spoofed name)@yahoo.com
Subject:
- WARNING: %s, WHY YOU TRY TO HACK OUR WEBSITE?
- I WILL KILL %s
- Mail Transaction Failed (%s)
- Mail Delivery System (%s)
- %s, What you have to say?
- Your account (%s) will be closed
- BREAKING NEWS: US begin the war against IRAN!
- Undelivered Mail Returned to Sender (%s)
- Password Reset For %s
- Re: Details (%s)
- Thank You %s!
- news@bbc.co.uk
- MAILER-DAEMON@%s
- WE COULD NOT OPEN THE ATTACHMENT!!!
Body:
| Hi Melinda,see my gift for your birthday ;-) call me and say what you think about it? Love,Bill |
| The message contains Unicode characters and has been sent as an attachment (in binary). |
| The message contains Unicode characters and has been sent as an attachment (in binary). |
| WARNING:This message contains (attached) users personal data and you may not use it for personal use, remember that you accept the agreement, and you are responsible for any kind of misuse of the users personal data. |
| we can't find anything usefull in your attachment See the attached file for details |
| What you think? you are just a piece of shit! |
Attachment (varies and may be in *.zip archive file):
- text22F1.exe
- document.scr
- untitled.exe
- CA112732.exe
Kazaa Propagation
The worm retrieves the location of the download directory of Kazaa from the registry key:
- HKEY_LOCAL_MACHINE\Software\Kazaa\LocalContent "DownloadDir"
It then copies itself to /Recieved folder using the following filenames:
- Screensaver-Hot Girls-part%d.scr
- Winamp5.01.exe
- BAD-GIRLS(Playboy)-ScreenSaver.scr
- Playboy-Screensaver-Nov-03.scr
Redirection To Prevent Access
The worm overwrites the local hosts file to prevent infected computers from accessing specific sites (listed below). The sites below will be redirected to IP address 127.0.0.1. AVERT recommends updating to the 4327 dat files as soon as possible, so that your computer may continue to access NAI and other important sites for future updates.
- localhost
- www.trendmicro.com
- trendmicro.com
- rads.mcafee.com
- customer.symantec.com
- liveupdate.symantec.com
- us.mcafee.com
- updates.symantec.com
- update.symantec.com
- support.microsoft.com
- www.microsoft.com
- microsoft.com
- www.nai.com nai.com
- secure.nai.com
- dispatch.mcafee.com
- download.mcafee.com
- www.my-etrust.com
- my-etrust.com
- mast.mcafee.com
- ca.com
- www.ca.com
- networkassociates.com
- www.networkassociates.com
- avp.com
- www. kaspersky.com
- www.avp.com
- kaspersky.com
- www.f-secure.com
- f-secure.com
- viruslist.com
- www.viruslist.com
- liveupdate.symantecliveupdate.com
- mcafee.com
- www.mcafee.com
- sophos.com
- www.sophos.com
- symantec.com
- securityresponse.symantec.com
- www.symantec.com
Symptoms
Symptoms -
A notepad document containing the following is shown :
The worm drops several DLLs in the %SYSDIR% directory. Some of the dlls are 0 bytes or contain the virus body:
- 1seml.dll
- 1check.dll
- 1eml.dll
- 1url.dll
- 1vis.dll
- 1http.dll
- 1enel.dll
The following registry key is createdto run the worm at startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "Windows Services Host"
= C:\windows\svchost.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Windows Services Host"
= C:\windows\svchost.exe
The worm also drops a file C:\cyclone.txt containing the following information :
Method of Infection
Method of Infection -
This worm sends itself using its own SMTP engine to users in Microsoft Address Book. It also harvests email addresses from files containing the following extensions: [.DBX .MBX .WAB .HTML .EML .HTM .ASP .SHTML .TXT].
The worm guesses the recipient email server, prepending the target domain name with the following strings:
- mx.
- mx1
- mail.
- smtp.
- gate
- mail1.
- relay.
- ns.
It avoids addresses containing the following strings
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
