Virus Database

I-Worm.Cosol

Description I-Worm.Cosol

Cosol is a worm virus spreading via the Internet as an email attachment. This worm also has a backdoor and key-spy routines.
The worm itself is a Windows PE EXE file about 355Kb in size (compressed by UPX, its decompressed size is about 675Kb), written in Delphi.
The infected messages have an attached EXE file with a name randomly selected from the following variants:
cosol.exe
mirch.exe
myprog.exe
Anti.exe
projekt2.exe
eb.exe
Vis.exe
msn.exe
Buch.exe
Tach.exe
The message body is also randomly selected from several variants:
Heloo!!!
I send you this program
I think you like it

Hi!,
This is my Cool program
run this program, you mast like

Have do you do!!!
I sent this program, special for you.
Take the atachment and run!!!

Cosa activates from infected emails only when a user clicks on the attached file. The worm then installs itself into the system and runs the spreading, backdoor and key-spy routines. During installation the worm creates the following files in the Windows directory:
DC220.EXE - worm copy
BIOS.EXE - one more worm copy
CSOLP.EXE - worm component
Cosa registers the following files in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
rundll = %WindowsDir%DC220.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
rundll32 = %WindowsDir%csolp.exe
The worm also creates and runs a decoy program:
Program FilesCommon FilesRASKR.EXE
A subdirectory (subdirs) is created in the Windows directory and is where Cosol writes its temporary files:
syssend
sysmai
sysem
Backdoor
The backdoor routine enables remote operation of an infected computer. It also reports disk and file information, creates, deletes and executes files, sends master files from the infected computer to the "master" comptuer, looks for password files (including WebMoney files) and sends them as well to the "master" computer with remote operation access. Files affected by the backdoor routine:
*.kwm
*.mag
*.pwl
*.pwm
*R³Á??*.txt
*pass*.txt
*? ÁR'³*.txt
*R³ Á??*.exl
*R³Á??*.exl
*pass*.exl
*? ÁR'³*.exl

The key-spy routine logs all keys pressed on the keyboard and sends this information to the "master" computer with remote access.

Check other viruses! Be aware! Use Antiviral Software

Bravo

Description Bravo

It's a dangerous memory resident boot virus. On loading from infected disk it copies itself into Interrupt Vectors Table and hooks INT 13h. Then it writes itself into boot sectors of floppy disks. MBR of hard drive is infected on loading from infected floppy. Depending on the system timer the virus overwrites the MBR with the string "Bravo".

Bravo!.502

Description Bravo!.502

It's a not dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the end of COM-files that are executed. On each 10th infection it displays:
Bravo!!! continua cosìall

It contains the internal text string also:
Virus BRAVO! v1.00 Realizzato nel 1992 da R.R.

Home