Virus Database

I-Worm.Cosol

Description I-Worm.Cosol

Cosol is a worm virus spreading via the Internet as an email attachment. This worm also has a backdoor and key-spy routines.
The worm itself is a Windows PE EXE file about 355Kb in size (compressed by UPX, its decompressed size is about 675Kb), written in Delphi.
The infected messages have an attached EXE file with a name randomly selected from the following variants:
cosol.exe
mirch.exe
myprog.exe
Anti.exe
projekt2.exe
eb.exe
Vis.exe
msn.exe
Buch.exe
Tach.exe
The message body is also randomly selected from several variants:
Heloo!!!
I send you this program
I think you like it

Hi!,
This is my Cool program
run this program, you mast like

Have do you do!!!
I sent this program, special for you.
Take the atachment and run!!!

Cosa activates from infected emails only when a user clicks on the attached file. The worm then installs itself into the system and runs the spreading, backdoor and key-spy routines. During installation the worm creates the following files in the Windows directory:
DC220.EXE - worm copy
BIOS.EXE - one more worm copy
CSOLP.EXE - worm component
Cosa registers the following files in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
rundll = %WindowsDir%DC220.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
rundll32 = %WindowsDir%csolp.exe
The worm also creates and runs a decoy program:
Program FilesCommon FilesRASKR.EXE
A subdirectory (subdirs) is created in the Windows directory and is where Cosol writes its temporary files:
syssend
sysmai
sysem
Backdoor
The backdoor routine enables remote operation of an infected computer. It also reports disk and file information, creates, deletes and executes files, sends master files from the infected computer to the "master" comptuer, looks for password files (including WebMoney files) and sends them as well to the "master" computer with remote operation access. Files affected by the backdoor routine:
*.kwm
*.mag
*.pwl
*.pwm
*R³Á??*.txt
*pass*.txt
*? ÁR'³*.txt
*R³ Á??*.exl
*R³Á??*.exl
*pass*.exl
*? ÁR'³*.exl

The key-spy routine logs all keys pressed on the keyboard and sends this information to the "master" computer with remote access.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Newbiero

Description I-Worm.Newbiero

Newbiero is a worm virus spreading through local area networks. This worm has a backdoor routine that allows a 'master' (the person controlling the worm) to monitor infected machines.
The worm itself is a Windows PE EXE file about 160Kb in size, written in Microsoft Visual C++.
When run the worm installs itself into the system, copies itself to the Windows system directory with a random name (for example, AGCMJL.EXE or CBICAR.EXE) and registers this file in the system registry auto-run key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Microsoft Diagnostic = %worm random EXE name%
Newbiero then deletes its original EXE file (from where it was run).
The worm also creates the MSSE.INI file in the Windows system directory and uses this file as an infection flag while spreading through the local area network.
Spreading
To infect the local network the worm scans local network IP addresses and tries to connect to machines it finds by mapping the hard drives. If a successful connection occurs the worm copies itself the hard drive with the name:
WINDOWSStart MenuProgramsStartUpmssg.exe
If Windows is installed in a directory with a different name, the infection procedure fails to spread the worm.
Backdoor
The backdoor routine provides remote control to:

download to the infected machine other EXE files and run them
run local EXE files
exit Windows, reboot the machine, logoff users
perform DoS (Denial of Service) attacks, thus the worm has DDoS ability
report RAS information from the affected machine (logins and passwords)
Additional Information
The worm tries to terminate the following firewalls:
Sygate Personal Firewall
Tiny Personal Firewall
ZoneAlarm Pro
ZoneAlarm
If the "c:logging.ini" file contains any content the worm creates .log files where it writes different reports about its actions. Such .log files are:

c:logsmisc.log
c:logsIPreport.log
c:logsips.log
c:logs ecived.log
c:logsyey.ini
c:logsscan.log
c:logsinfections.log
c:logsservmsg.log
c:logsFetchreport.log
c:logsopt.abc
c:logsabc.cba
c:online.log

I-Worm.NewLove

Description I-Worm.NewLove

This is an extremely dangerous variant of the "LoveLetter" Internet worm. Just as with its forerunner "LoveLetter", the "NewLove" worm is written in Visual Basic Script language and spreads as a VBS file with a random name. The worm installs itself into the system, gains access to the MS Outlook address book, and sends itself to all addresses listed in there.
The infected message subject begins with "FW:" and is completed with a random text up to 30 characters in length and random extension from the following list:
Doc, Xls, Mdb, Bmp, Mp3, Txt, Jpg, Gif, Mov, Url, Htm, Txt

This also serves as the name of the attached file, for example:
FW: VPAVQXCUUNGUFLTJSLNAUTQZXJUG.Bmp
FW: QKUPLSXOOIBPAGNENGIVPN.Mp3
FW: TNXSOVARRLESDJQHQJLYSQNWV.Mdb
FW: HBLHCJOFFZS.Mdb
FW: MGQMHOTKKEXLWCJAJ.Doc
FW: SMXSNUZRRKDRCJQGPIKXRQNWU.Mdb
FW: CWGCXE.Mp3
The message body is empty, and there is a VBS file attached with the same file name that is in the subject line, but with an added ".VBS" extension. Depending on the system settings, a real extension of the attached file (".vbs") may not be shown. In this case, the filename of an attached file is displayed as shown above (with no "FW:").
When the attached file is activated (by double clicking, for example), the worm sends its copies to all addresses from the MS Outlook address base.
The worm then destroys the computer. It scans all local and mapped disk drives and replaces all files with its copy, and adds the ".VBS" extension to file names (for example COMMAND.COM becomes COMMAND.COM.VBS). As a result, all files on all accessable drives are totally destroyed.
Because of this, the worm is able to spread just once - it sends its copy to all availabe addresses and then destroys the computer.
The worm is able to spread only in the instance that MS Outlook is installed in the system. The worm payload routine is activated independent of the e-mail system installed on the computer. In the case that there is another e-mail system installed, the worm does not send infected e-mails, instead destroying all files on the computer.
The worm is polymorphic. Upon each infection, it inserts random comments into its code. The worm does this each time it spreads, and as a result, its size grows depending on its generation (about 60% of the current size), for example:
1st generation: 110Kb
2st generation: 248Kb
3st generation: 403Kb
4st generation: 585Kb
5st generation: 805Kb
6st generation: 1040Kb
e.t.c.
The "pure" worm code is just about 5Kb in size.
Protection for this type of worms has already been released by Kaspersky Lab. The "AVP Script Checker" protects the system against the new worm and prevents infection. We strongly recommend you download "AVP Script Checker" from our Kasperky Lab Web sites.

Home