McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Cone.f (AVP)

• W32/Cone-F (Sophos)

• W32/Cone.E.worm (Panda)

• W32/Cone.G (F-Prot)

Characteristics

This threat is considered to be a Low-Profiled risk due to media attention:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci956740,00.html

At the time of this writing AVERT has not received any field samples of this threat.

This is a mass mailing worm that attempts to bring down the www.irna.com website.

Emailing Component
The worm sends itself out as a base64 encoded attachment, contains the following information:

From: (spoofed name, may contain the following)

• antivirus
• management
• admininstration
• virus-detection
• AV
• support
• staff

Subject: (one of the following)

• your help file attached
• W32.Mydoom.H in your mail
• Your computer is probably infected by W32.Mydoom.H
• Norton Antivirus detected W32.Mydoom.H in your mail
• Large amount of W32.Mydoom.H outgoing from your email
• Virus detected in your mail
• Your computer is infected by W32.Mydoom.H
• Your computer is probably infected
• Your message was infected by Mydoom
• I found a virus in your message
• I recieved a message from you containing Mydoom
• Mydoom.H in attachment of your message

Body (one of the following:

• your help file attached
• Hi, The attachment is a virus. I write it to say: we don't want Islamic Republic in IRAN! I'm realy realy sorry, I'm damaging the computers that I don't want to damage!!!! I choose to help a nation to be free with cost of some computer infections!!! Do you choose this if you must choose one? all of the other ways closed, no one listen to us!!!! please support me, open the virus and let it spread, it does not have any damage, just your internet connection may become some slow! for more info search "W32.Cone.E".
• Dear users of %domain% ,
  Our antivirus software has detected a large amount of viruses outgoing from your email account (%email address% ), you may use our removal instruction to clean up your computer software.
• Dear users of %domain% ,
  Norton Antivirus has detected about %random number% e-mail(s) infected by W32.Mydoom.H outgoing from your mail account(%email address% ). W32.Mydoom.H is a category 4 virus and Norton Antivirus 2004 is updated automatically for removal instructions of cat 4 and 5 viruses, and then send them for infected computers to prevent more infections. your computer is infected by mydoom.H, because i recieved more than 20 messages containing mydoom.H from you i attached help file of removal instructions of this virus, please cleanup your computer, before connecting to internet!
• hey, i'm tired of deleting emails infected by Mydoom.H from you, i attached the symantec removal instructions help file for Mydoom.H please cleanup your computer, or do not connect to internet.
• Cleanup your computer, i have recieved more than 20 message infected by Mydoom.H from you, i attached the symantec removal instructions help file for W32.Mydoom.H
• hi, i have recieved an email from you infected by W32.Mydoom.H, the attached file is a help file (.chm) containing removal instructions of Mydoom.H, i have downloaded it from www.symantec.com. to check to see if your computer has been infected by Mydoom.H refer to "Check for presence of W32.Mydoom.H" in the help file.
  best wishes,
• ----- Original Message -----
  From:
  To:
  Sent: Sunday, March 14, 2004 11:53 AM
  > Details are in the attached document.
  >
• ----- Original Message -----
  From:
  To:
  Sent: Sunday, March 14, 2004 11:53 AM
  > Details are in the attached document.
  >
• The attached file is a help file containing the removal instruction of W32.Mydoom.H. (This is an automatic virus detection mail created by Symantec Norton Antivirus 2004 for more info about Norton Antivirus 2004 visit www.symantec.com) Norton Antivirus 2004 Enterprise Edition

Attachment (varies and may be in *.zip archive file):

• pchealth.exe
• %random name% .chm

Kazaa Propagation
The worm retrieves the location of the download directory of Kazaa  from the registry key:

• HKEY_LOCAL_MACHINE\Software\Kazaa\LocalContent "DownloadDir"

 It then copies itself to /Recieved folder using the following filenames:

• Hacking Exposed Network Security Secrets-chapt%number% .chm
• 401 guitar tabs.chm
• How_to_crack_Win_XP_activation.chm
• Credit card numbers.chm
• adult check passwords.chm
• (ebook chm) Teach Yourself C++ In 14 Days.chm
• eBook-OReilly-Learning the UNIX Operating System.chm
• Hacker's Guide.chm

Symptoms

When run, the worm displays a Window:

The worm drops several DLLs in the %SYSDIR% directory. Some of the dlls are 0 bytes, contain the virus body, or data captured from the infected system (such as harvested email addresses):

• 02check.dll
• 02eml.dll
• 02seml.dll
• 02url.dll
• 02vis.dll

The file file.dll may also be created in the %TEMP% directory.

The following registry key is created to run the worm at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "System Host Service"
  = C:\windows\svchost.exe
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "System Host Service"
  = C:\windows\svchost.exe

The worm copies itself to STARTUP folders, such as:

• c:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebCheck.pif

The worm also drops a file The-Power-Of-Cycl one.htm in the WINDOWS directory containing the following information:

Method of Infection

This worm sends itself using its own SMTP engine to users in Microsoft Address Book. It also harvests email addresses from files containing the following extensions: [.DBX .MBX .WAB .HTML .EML .HTM .ASP .SHTML .TXT].

The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mx1
• mail.
• smtp.
• gate
• mail1.
• relay.
• ns.

It avoids addresses containing the following strings

• avp
• syma
• icrosof
• msn.
• hotmail.
• panda
• sopho
• borlan
• inpris
• example
• mydomai
• nodomai
• ruslis
• .gov
• gov.
• .mil
• foo.
• berkeley
• unix
• math
• bsd
• mit.e
• gnu
• fsf.
• ibm.com
• google
• kernel
• linux
• fido
• usenet
• iana
• ietf
• rfc-ed
• sendmail
• arin.
• ripe.
• isi.e
• isc.o
• secur
• acketst
• pgp
• tanford.e
• utgers.ed
• mozilla
• trend
• bug
• @mm
• .html
• .edu
• spam
• viru
• listserv
• remove
• fbi
• f-pro
• itdefender
• abuse
• root
• info
• samples
• postmaster
• webmaster
• noone
• nobody
• nothing
• anyone
• someone
• bugs
• rating
• site
• contact
• soft
• no
• somebody
• privacy
• service
• help
• not
• submit
• feste
• ca
• gold-certs
• the.bat
• abuse
• discuss
• name
• you
• owner
• mailer-daemon
• admin
• feedback
• email
• me

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Cone.f (AVP)

• W32/Cone-F (Sophos)

• W32/Cone.E.worm (Panda)

• W32/Cone.G (F-Prot)

Characteristics

Characteristics -

This threat is considered to be a Low-Profiled risk due to media attention:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci956740,00.html

At the time of this writing AVERT has not received any field samples of this threat.

This is a mass mailing worm that attempts to bring down the www.irna.com website.

Emailing Component
The worm sends itself out as a base64 encoded attachment, contains the following information:

From: (spoofed name, may contain the following)

• antivirus
• management
• admininstration
• virus-detection
• AV
• support
• staff

Subject: (one of the following)

• your help file attached
• W32.Mydoom.H in your mail
• Your computer is probably infected by W32.Mydoom.H
• Norton Antivirus detected W32.Mydoom.H in your mail
• Large amount of W32.Mydoom.H outgoing from your email
• Virus detected in your mail
• Your computer is infected by W32.Mydoom.H
• Your computer is probably infected
• Your message was infected by Mydoom
• I found a virus in your message
• I recieved a message from you containing Mydoom
• Mydoom.H in attachment of your message

Body (one of the following:

• your help file attached
• Hi, The attachment is a virus. I write it to say: we don't want Islamic Republic in IRAN! I'm realy realy sorry, I'm damaging the computers that I don't want to damage!!!! I choose to help a nation to be free with cost of some computer infections!!! Do you choose this if you must choose one? all of the other ways closed, no one listen to us!!!! please support me, open the virus and let it spread, it does not have any damage, just your internet connection may become some slow! for more info search "W32.Cone.E".
• Dear users of %domain% ,
  Our antivirus software has detected a large amount of viruses outgoing from your email account (%email address% ), you may use our removal instruction to clean up your computer software.
• Dear users of %domain% ,
  Norton Antivirus has detected about %random number% e-mail(s) infected by W32.Mydoom.H outgoing from your mail account(%email address% ). W32.Mydoom.H is a category 4 virus and Norton Antivirus 2004 is updated automatically for removal instructions of cat 4 and 5 viruses, and then send them for infected computers to prevent more infections. your computer is infected by mydoom.H, because i recieved more than 20 messages containing mydoom.H from you i attached help file of removal instructions of this virus, please cleanup your computer, before connecting to internet!
• hey, i'm tired of deleting emails infected by Mydoom.H from you, i attached the symantec removal instructions help file for Mydoom.H please cleanup your computer, or do not connect to internet.
• Cleanup your computer, i have recieved more than 20 message infected by Mydoom.H from you, i attached the symantec removal instructions help file for W32.Mydoom.H
• hi, i have recieved an email from you infected by W32.Mydoom.H, the attached file is a help file (.chm) containing removal instructions of Mydoom.H, i have downloaded it from www.symantec.com. to check to see if your computer has been infected by Mydoom.H refer to "Check for presence of W32.Mydoom.H" in the help file.
  best wishes,
• ----- Original Message -----
  From:
  To:
  Sent: Sunday, March 14, 2004 11:53 AM
  > Details are in the attached document.
  >
• ----- Original Message -----
  From:
  To:
  Sent: Sunday, March 14, 2004 11:53 AM
  > Details are in the attached document.
  >
• The attached file is a help file containing the removal instruction of W32.Mydoom.H. (This is an automatic virus detection mail created by Symantec Norton Antivirus 2004 for more info about Norton Antivirus 2004 visit www.symantec.com) Norton Antivirus 2004 Enterprise Edition

Attachment (varies and may be in *.zip archive file):

• pchealth.exe
• %random name% .chm

Kazaa Propagation
The worm retrieves the location of the download directory of Kazaa  from the registry key:

• HKEY_LOCAL_MACHINE\Software\Kazaa\LocalContent "DownloadDir"

 It then copies itself to /Recieved folder using the following filenames:

• Hacking Exposed Network Security Secrets-chapt%number% .chm
• 401 guitar tabs.chm
• How_to_crack_Win_XP_activation.chm
• Credit card numbers.chm
• adult check passwords.chm
• (ebook chm) Teach Yourself C++ In 14 Days.chm
• eBook-OReilly-Learning the UNIX Operating System.chm
• Hacker's Guide.chm

Symptoms

Symptoms -

When run, the worm displays a Window:

The worm drops several DLLs in the %SYSDIR% directory. Some of the dlls are 0 bytes, contain the virus body, or data captured from the infected system (such as harvested email addresses):

• 02check.dll
• 02eml.dll
• 02seml.dll
• 02url.dll
• 02vis.dll

The file file.dll may also be created in the %TEMP% directory.

The following registry key is created to run the worm at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "System Host Service"
  = C:\windows\svchost.exe
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "System Host Service"
  = C:\windows\svchost.exe

The worm copies itself to STARTUP folders, such as:

• c:\Documents and Settings\All Users\Start Menu\Programs\Startup\WebCheck.pif

The worm also drops a file The-Power-Of-Cycl one.htm in the WINDOWS directory containing the following information:

Method of Infection

Method of Infection -

This worm sends itself using its own SMTP engine to users in Microsoft Address Book. It also harvests email addresses from files containing the following extensions: [.DBX .MBX .WAB .HTML .EML .HTM .ASP .SHTML .TXT].

The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mx1
• mail.
• smtp.
• gate
• mail1.
• relay.
• ns.

It avoids addresses containing the following strings

• avp
• syma
• icrosof
• msn.
• hotmail.
• panda
• sopho
• borlan
• inpris
• example
• mydomai
• nodomai
• ruslis
• .gov
• gov.
• .mil
• foo.
• berkeley
• unix
• math
• bsd
• mit.e
• gnu
• fsf.
• ibm.com
• google
• kernel
• linux
• fido
• usenet
• iana
• ietf
• rfc-ed
• sendmail
• arin.
• ripe.
• isi.e
• isc.o
• secur
• acketst
• pgp
• tanford.e
• utgers.ed
• mozilla
• trend
• bug
• @mm
• .html
• .edu
• spam
• viru
• listserv
• remove
• fbi
• f-pro
• itdefender
• abuse
• root
• info
• samples
• postmaster
• webmaster
• noone
• nobody
• nothing
• anyone
• someone
• bugs
• rating
• site
• contact
• soft
• no
• somebody
• privacy
• service
• help
• not
• submit
• feste
• ca
• gold-certs
• the.bat
• abuse
• discuss
• name
• you
• owner
• mailer-daemon
• admin
• feedback
• email
• me

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A