Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Alias:WORM_COLEVO.A [Trend], W32/Colevo@MM [McAfee], I-Worm.Colevo [KAV]
Type:Worm 
Size:188,928 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:  
Danger:Low 
Distribution:High 

DistributionIt finds the MSN Messenger Contacts list and uses the email addresses to spread itself. The email it sends, looks as below:

Subject: El adelanto de matrix ta gueno

Body: Oye te ? paso el programa para entrar a cuentas del messenger Z y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya? u Respondeme que tal te parecio. chau

Attachment: hotmailpass.exe

Technical DetailsWhen activated, Worm/Colevo copies itself as:
C:\%WinDIR%\All Users.exe
C:\%WinDIR%\Command.exe
C:\%WinDIR%\Hot Girl.scr
C:\%WinDIR%\Hotmailpass.exe
C:\%WinDIR%\Inf.exe
C:\%WinDIR%\Internet File.exe
C:\%WinDIR%\Internet download.exe
C:\%WinDIR%\Part Hard Disk.exe
C:\%WinDIR%\Shell.exe
C:\%WinDIR%\System.exe
C:\%WinDIR%\%SystemDIR%.exe
C:\%WinDIR%\%SystemDIR%.pif
C:\%WinDIR%\Temp.exe
C:\%WinDIR%\%SystemDIR%\Command.com
C:\%WinDIR%\%SystemDIR%\Inf.exe
C:\%WinDIR%\%SystemDIR%\Net.com
C:\%WinDIR%\%SystemDIR%\www.microsoft.com
C:\%WinDIR%\All User\Server.exe
C:\%WinDIR%\Menu Inicio\Programas\Inicio\www.microsoft.com
C:\Recycled\Evo Morales.scr

It enters the registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System"="c:\%WinDIR%\%SystemDIR%.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "System"="c:\%WinDIR%\%SystemDIR%.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "System"="c:\%WinDIR%\commands.com" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices"System"="c:\%WinDIR%\commands.com" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce "System"="c:\%WinDIR%\temp.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce "System"="c:\%WinDIR%\temp.exe" HKEY_LOCAL_MACHINE\Software\Classes\exefile "NeverShowExt"="" Er erstellt folgende Registry- Einträge: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4 "System"="c:\%WinDIR%\system.exe" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4 "System"="c:\%WinDIR%\%SystemDIR%.exe"

It changes the registry entries:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command in: @=""c:\%WinDIR%\command.exe","%1"%*" HKEY_LOCAL_MACHINE\Software\Classes\comfile\shell\open\command in: @=""c:\%WinDIR%\inf.exe","%1"%*" HKEY_LOCAL_MACHINE\Software\Classes\batfile\shell\open\command in: @=""c:\%WinDIR%\temp.exe","%1"%*" HKEY_LOCAL_MACHINE\Software\Classes\piffile\shell\open\command in: @=""c:\%WinDIR%\commands.com","%1"%*" HKEY_LOCAL_MACHINE\Software\Classes\htafile\shell\open\command in:@=""c:\%WinDIR%\commands.com","%1"%*"

In Win.ini, the worm enters:
[windows]load=archivo.exerun=archivo.exe####Viva el EVO, y jamas erradicaran la Coca Cola!!! mentira colla maldito!! (PYN Pablo_Hack@hotmail.com)####

Then it enters in System.ini:
[boot]Shell=explorer.exe temp.exe

It overwrites the file: C:\%WinDIR%.ini with the following line: null=c:\%WinDIR%\%SystemDIR%.exe

It eventually creates C:\Windows\Winstart.bat, containing:
c:\%windir%\Shell.exe

It opens the following websites with the default browser:
http:/ /jeremybigwood.net
http:/ /news.bbc.co.uk
http:/ /www.commondreams.org
http:/ /www-ni.laprensa.com.ni
http:/ /www.soc.uu.se
http:/ /www.cannabisculture.com
http:/ /www.chilevive.cl
http:/ /membres.lycos.fr
http:/ /www.movimientos.org
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .
https:// Cet écran est crypté pour votre sécurité.