W32/Colevo.A@mm
Analysis
- Virus is 32bit with a compressed size of 188,928
bytes
- If virus is run, it may run memory resident and
attempt to connect to various websites and display
a .JPG image of a man suggested to be Evo Morales
of Bolivia – the sites are displayed similarly
to a slideshow presentation – even if the web
browser is closed, it will open and launch persistently
to selected websites defined in the virus code
- Virus writes itself to the local drive as several
different file names –
c:\WINDOWS\All Users.exe
c:\WINDOWS\command.exe
c:\WINDOWS\Hot Girl.scr
c:\WINDOWS\hotmailpass.exe
c:\WINDOWS\Inf.exe
c:\WINDOWS\Internet download .exe
c:\WINDOWS\Internet File.exe
c:\WINDOWS\Part Hard Disk.exe
c:\WINDOWS\Shell.exe
c:\WINDOWS\system.exe
c:\WINDOWS\System32.exe
c:\WINDOWS\System64.pif
c:\WINDOWS\Temp.exe
c:\WINDOWS\SYSTEM32\command.com
c:\WINDOWS\SYSTEM32\Inf.exe
c:\WINDOWS\SYSTEM32\net.com
c:\WINDOWS\SYSTEM32\www.microsoft.com -
Virus modifies the registry to run itself any time certain file types are executed –
HKEY_CLASSES_ROOT\batfile\shell\open\command\
"(Default)" = "c:\windows\temp.exe", "undefined1" undefined*original value was "(Default)" = "undefined1" undefined*
HKEY_CLASSES_ROOT\comfile\shell\open\command\
"(Default)" = "c:\windows\Inf.exe", "undefined1" undefined*original value was "(Default)" = "undefined1" undefined*
HKEY_CLASSES_ROOT\exefile\shell\open\command\
"(Default)" = "c:\windows\command.exe", "undefined1" undefined*original value was "(Default)" = "undefined1" undefined*
HKEY_CLASSES_ROOT\htafile\Shell\Open\Command\
"(Default)" = "c:\windows\commands.com", "undefined1" undefined*original value was
"(Default)" = (WINDOWS\SYSTEM)\MSHTA.EXE "undefined1" undefined*HKEY_CLASSES_ROOT\piffile\shell\open\command\
"(Default)" = "c:\windows\commands.com", "undefined1" undefined*original value was "(Default)" = "undefined1" undefined*
-
Virus modifies the registry to run at Windows startup from several keys –
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"System" = c:\windows\system.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4\
"System" = c:\windows\system.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunSevices\
"System" = c:\windows\system.exeHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunSevicesOnce\
"System" = c:\windows\temp.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"System" = c:\windows\system.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\1\2\3\4\
"System" = c:\windows\temp.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunSevices\
"System" = c:\windows\commands.com
-
Virus seeks MSN contact email addresses by scavenging information stored in the registry – for each email address found, the virus may send a copy of itself to that potential recipient – the email attachment may be named “hotmailpass.exe”
-
Virus may modify the registry to not show extension of files with .EXE file extension
-
Virus may modify the Windows configuration files WIN.INI and SYSTEM.INI in order to load at Windows startup –
System.ini change into the [boot] section:
Shell = explorer.exe temp.exeWin.ini change into the [windows] section:
load = archivo.exe
run = archivo.exe
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |