Virus

W32/Colevo.A@mm

Analysis

  • Virus is 32bit with a compressed size of 188,928 bytes
  • If virus is run, it may run memory resident and attempt to connect to various websites and display a .JPG image of a man suggested to be Evo Morales of Bolivia – the sites are displayed similarly to a slideshow presentation – even if the web browser is closed, it will open and launch persistently to selected websites defined in the virus code
  • Virus writes itself to the local drive as several different file names –

    c:\WINDOWS\All Users.exe
    c:\WINDOWS\command.exe
    c:\WINDOWS\Hot Girl.scr
    c:\WINDOWS\hotmailpass.exe
    c:\WINDOWS\Inf.exe
    c:\WINDOWS\Internet download .exe
    c:\WINDOWS\Internet File.exe
    c:\WINDOWS\Part Hard Disk.exe
    c:\WINDOWS\Shell.exe
    c:\WINDOWS\system.exe
    c:\WINDOWS\System32.exe
    c:\WINDOWS\System64.pif
    c:\WINDOWS\Temp.exe
    c:\WINDOWS\SYSTEM32\command.com
    c:\WINDOWS\SYSTEM32\Inf.exe
    c:\WINDOWS\SYSTEM32\net.com
    c:\WINDOWS\SYSTEM32\www.microsoft.com

  • Virus modifies the registry to run itself any time certain file types are executed –

    HKEY_CLASSES_ROOT\batfile\shell\open\command\
    "(Default)" = "c:\windows\temp.exe", "undefined1" undefined*

    original value was "(Default)" = "undefined1" undefined*

    HKEY_CLASSES_ROOT\comfile\shell\open\command\
    "(Default)" = "c:\windows\Inf.exe", "undefined1" undefined*

    original value was "(Default)" = "undefined1" undefined*

    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    "(Default)" = "c:\windows\command.exe", "undefined1" undefined*

    original value was "(Default)" = "undefined1" undefined*

    HKEY_CLASSES_ROOT\htafile\Shell\Open\Command\
    "(Default)" = "c:\windows\commands.com", "undefined1" undefined*

    original value was
    "(Default)" = (WINDOWS\SYSTEM)\MSHTA.EXE "undefined1" undefined*

    HKEY_CLASSES_ROOT\piffile\shell\open\command\
    "(Default)" = "c:\windows\commands.com", "undefined1" undefined*

    original value was "(Default)" = "undefined1" undefined*

  • Virus modifies the registry to run at Windows startup from several keys –

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "System" = c:\windows\system.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4\
    "System" = c:\windows\system.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunSevices\
    "System" = c:\windows\system.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunSevicesOnce\
    "System" = c:\windows\temp.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    "System" = c:\windows\system.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4\
    "System" = c:\windows\temp.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSevices\
    "System" = c:\windows\commands.com

  • Virus seeks MSN contact email addresses by scavenging information stored in the registry – for each email address found, the virus may send a copy of itself to that potential recipient – the email attachment may be named “hotmailpass.exe”

  • Virus may modify the registry to not show extension of files with .EXE file extension

  • Virus may modify the Windows configuration files WIN.INI and SYSTEM.INI in order to load at Windows startup –
    System.ini change into the [boot] section:
    Shell = explorer.exe temp.exe

    Win.ini change into the [windows] section:
    load = archivo.exe
    run = archivo.exe