W32/Coronex-A

Aliases	I-Worm.Coronex.a W32/Coronex.worm Win32/Sars.A W32.Coronex@mm WORM_CORONEX.A
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	June 2003 (3.70)
Protection available since	28 September 2003 09:46:39 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing worms.

More Information

Summary
Action
More Information

SARS Virus, corona virus

W32/Coronex-A is an internet worm which emails itself to every contact in the Windows address book.

The email characteristics vary depending upon the current day of the week, as follows:

Sender address: sars@hotmail.com
Subject line: Severe Acute Respiratory Syndrome
Attached file: sars.exe

Sender address: sars2@hotmail.com
Subject line: I need your help
Message text: Severe Acute Respiratory Syndrome
Attached file: corona.exe

Sender address: corona@hotmail.com
Subject line: Virus Alert!
Message text: SARS Virus
Attached file: virus.exe

Sender address: virus@yahoo.com
Subject line: Corona Virus
Message text: honk kong
Attached file: hongkong.exe

Sender address: deaths@china.com
Subject line: deaths virus
Attached file: deaths.exe

Sender address: virus@china.com
Subject line: SEE Ya
Attached file: sars2.exe

Sender address: virus2@china.com
Subject line: SARS Virus
Message text: SARS Corona Virus
Attached file: cv.exe

When first run, the worm displays a message box with the text "SARS Virus, corona virus", copies itself to the Windows folder as Corona.exe and creates the following registry entry so that corona.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PC-Config32
= %WINDOWS%\corona.exe -A

The worm copies itself to the C:\My Downloads folder using 1 of the 24 filenames listed below, depending upon the current hour of the day:

Age Of Mythology.exe Battlefield 1942 (full).exe Black Hawk Down (full).exe Command & Conquer: Generals.exe Cossacks Full Version.exe Dark Age of Camelot.exe Doom 3.exe Grand Theft Auto 3 (full).exe Jedi Knight II.exe Master Of Orion 3.exe Medel Of Honor: Allied Assault.exe Oni full.exe Quake 3 Full Version.exe Rainbow 6 Full.exe Return to Castle Wolfenstien (Full).exe Starcraft full.exe The Lord of the Rings.exe The Sims: Unleashed.exe Tribes 2 (full).exe Ultima Online.exe Unreal 2: The Awakening (full).exe Unreal.exe Warcraft III Full.exe White and Black.exe

When run with a -A command line switch (i.e. on startup), the worm runs continuously in the background and emails itself when the time is 1 minute past any hour.

The worm also changes the start page for Microsoft Internet Explorer by setting the registry entry

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
= http://www.who.int/csr/don/2003_04_19/en

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Coronex-A

Summary

Action

More Information