high
Summary
Summary
Action- More Information
| Protection available since | 28 September 2003 09:46:52 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing worms.
More Information
W32/Colevo-A is an email worm that sends itself to the infected user's MSN Messenger contacts. The email will have the following characteristics:
Subject line: El fin se puede hackear a hotmail!!
Message text: Oye te ? paso el programa para entrar a cuentas del messenger. y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya?
Respondeme que tal te parecio, chau
Attached file: hotmailpass.exe
W32/Colevo-A copies itself to the following files:
<Windows>\command.exe
<Windows>\Hot Girl.scr
<Windows>\hotmailpass.exe
<Windows>\Inf.exe
<Windows>\Internet download .exe
<Windows>\Internet File.exe
<Windows>\Part Hard Disk.exe
<Windows>\Shell.exe
<Windows>\system.exe
<Windows>\System32.exe
<Windows>\System64.pif
<Windows>\Temp.exe
<Windows>\All User\Server.exe
<Windows>\system32\command.com
<Windows>\system32\net.com
<Windows>\system32\www.microsoft.com
<Windows>\system32\Inf.exe
<Windows>\menu inicio\programas\inicio\www.microsoft\com
<Recycled>\Evo Morales.scr
W32/Colevo-A will make the following registry changes:
HKCR\htafile\shell\open\command\(Default)
= "C:\Windows\commands.exe", "%1 %*"
HKCR\exefile\shell\open\command\(Default)
= "C:\Windows\command.exe", "%1 %*"
HKCR\comfile\shell\open\command\(Default)
= "C:\Windows\Inf.exe", "%1 %*"
HKCR\batfile\shell\open\command\(Default)
= "C:\Windows\temp.exe", "%1 %*"
HKCR\piffile\shell\open\command\(Default)
= "C:\Windows\commands.exe", "%1 %*"
HKCR\exefile\NeverShowExt
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System
= C:\Windows\system.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4\System
= C:\Windows\temp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\System
= C:\Windows\commands.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System
= C:\Windows\system.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4\System
= C:\Windows\system.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\System
= C:\Windows\temp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\System
= C:\Windows\system.exe
The following lines will be prepended to win.ini:
[windows]
load=archivo.exe
run=archivo.exe
####Viva el EVO, y jamas erradicaran la Coca Cola!!! mentira colla maldito!!
(PYN Pablo_Hack@hotmail.com)####
The following lines will be prepended to system.ini:
[boot]
Shell=explorer.exe temp.exe
The file winstart.bat will be created and will contain the single line
"null=c:\windows\system.exe".
W32/Colevo-A runs in the background as a backdoor server allowing unauthorised access to the victim's computer.
W32/Colevo-A continually opens the user's web browser to any of the following
pages:
http://jeremybigwood.net/Bolivia/images/
Bolivia.Sept.2K.000.jpg
http://news.bbc.co.uk/olmedia/775000/images/
_778100_morales150.jpg
http://www.commondreams.org/headlines/images/100700-01.jpg
http://www.ni.laprensa.com.ni/archivo/2002/julio/09/elmundo/
elmundo-20020709-01.jpg
http://www.soc.uu.se/mapuche/indgen/puntofinal020822.jpg
http://www.cannabisculture.com/library/images/images/uploads/
2409-Evo-morales-speaking.jpg
http://www.chilevive.cl/news/img/evom.jpg
http://membres.lycos.fr/asocamerlat/evo%20morales_bolivia2.gif
http://news.bbc.co.uk/media/images/38128000/jpg/
_38128025_020710bolivia300b.jpg
All the links above contain clean image files.
|
