Weekly Virus News

[TCH-Dick]

Coneheads - WORM_CONE.C (Low Risk)

------------------------------------------------------------------------

WORM_CONE.C is a non-destructive worm that arrives as a .zip attachment

to an email message. This worm also propagates via Kazaa peer-to-peer file

sharing, by dropping a copy of itself in the shared directory of Kazaa.

Its payload overwrites the HOSTS file of the infected system, and therefore,

prevents the user of the infected system from accessing certain Web sites

typically related to security and antivirus information. This malware runs

on Windows NT and 2000.

 

WORM_CONE.C arrives as a .zip attachment to an email message, with one of

the following 16 possible subject lines:

 

MAILER-DAEMON@%s

How cute is your credit card number!! )

E-mail account disabling warning for %s

RE: %s

i have your password

RE: Thank You!

RE: details (%s)

Password Reset For %s

Undelivered Mail Returned to Sender (%s)

about you

Your account (%s) will be closed

Your IP has been logged

Mail Delivery System (%s)

Mail Transaction Failed (%s)

IMPORTANT %s!

Confidential user information!

 

It then drops 6 .DLL files in the Windows/System32 directory, and creates

registry entries that allow it to automatically execute at every Windows

startup. It also drops a copy of itself using the filename WEBCHECK.PIF in

the following folders:

 

Winnt\Profiles\All Users\Start menu\Programs\Startup\

WinME\Start Menu\Programs\Startup\

Win98\Start Menu\Programs\Startup\

Windows\Start Menu\Programs\Startup\

Documents and settings\All Users\Start Menu\Programs\Startup\

 

To propagate via Kazaa, it drops a copy of itself in the Kazaa shared directory,

using any of the following file names:

 

Strip Girls-part%d.scr

Sky lopez - Screensaver.scr

Playboy Screensaver Dec 2003.scr

 

This worm overwrites the HOSTS file found in the directory "%System%\drivers\etc"

(where %System% is C:\WINNT\System32 on Windows NT and 2000). This action redirects

the connection to the listed site, back to the local host or the infected system,

thus denying the infected system access to the following Web sites:

 

www.symantec.com

securityresponse.symantec.com

symantec.com

www.sophos.com

sophos.com

www.mcafee.com

mcafee.com

liveupdate.symantecliveupdate.com

www.viruslist.com

viruslist.com

f-secure.com

www.f-secure.com

kaspersky.com

www.avp.com

www.kaspersky.com

avp.com

www.networkassociates.com

networkassociates.com

www.ca.com

ca.com

mast.mcafee.com

my-etrust.com

www.my-etrust.com

download.mcafee.com

dispatch.mcafee.com

secure.nai.com

nai.com

www.nai.com

microsoft.com

www.microsoft.com

support.microsoft.com

update.symantec.com

updates.symantec.com

us.mcafee.com

liveupdate.symantec.com

customer.symantec.com

rads.mcafee.com

trendmicro.com

www.trendmicro.com