Virus Alert: Worm Launches IE, Connects to Various News Sites July 1, 2003 By eSecurityPlanet Staff A mass-mailing worm that harvests MSN Messenger contact addresses has been deemed a medium risk for home users, but corporate users are at a reduced risk of infection. W32/Colevo@MM launches Internet Explorer and connects to various news Web sites displaying images of Bolivian Aymara Indian leader Evo Morales. The Web sites it connects to are: http://jeremybigwood.net http://news.bbc.co.uk http://www.commondreams.org/headlines/images/100700-01.jpg http://www-ni.laprensa.com.ni http://www.soc.uu.se http://www.cannabisculture.com http://www.chilevive.cl http://membres.lycos.fr http://news.bbc.co.uk http://www.movimientos.org When run, the worm copies itself to %WINDIR% directory with the following filenames: All Users.exe command.exe Hot Girl.scr hotmailpass.exe Inf.exe Internet Download.exe Internet File.exe Part Hard Disk.exe Shell.exe system.exe system32.exe system64.pif Temp.exe Read more at this Network Associates page. Antivirus software vendor Sophos recognizes the worm as W32/Colevo-A, and says it copies itself to the following files: \command.exe \Hot Girl.scr \hotmailpass.exe \Inf.exe \Internet download .exe \Internet File.exe \Part Hard Disk.exe \Shell.exe \system.exe \System32.exe \System64.pif \Temp.exe \All User\Server.exe \system32\command.com \system32\net.com \system32\www.microsoft.com \system32\Inf.exe \menu inicio\programas\inicio\www.microsoft\com \Evo Morales.scr W32/Colevo-A will also make certain registry changes. View them and other information at this Sophos page. According to antivirus software vendor Trend Micro, Worm_Colevo.A propagates by using its own SMTP (Simple Mail Transfer Protocol) engine to send infected email messages to all contacts found in MSN Messenger. The email message it sends out has the following characteristics: Subject: El adelanto de matrix ta gueno Message Body: Oye te ? paso el programa para entrar a cuentas del messenger Z y facilingo te lo paso a voz nomas, prometeme que no se lo pasas a nadie, ya? u Respondeme que tal te parecio. Chau Attachment: hotmailpass.exe Technical details are at this Trend Micro page. Worm Creates Remote Access Point for Hackers to Exploit This worm is based on the IRC-Sdbot Trojan code. The source code for the IRC-Sdbot Trojan was published on the Internet some time ago, and a number of worms are based on the same code. This is one of those worms. It is detected as IRC-Sdbot with the 4258+ DAT files. W32/Sdbot spreads via network shares and creates a remote access point for attackers to exploit. When run, it copies itself to the WINDOWS SYSTEM (%sysDir%) directory and creates two registry run keys to load the worm at system startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Services Host" = scchost.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices "Services Host" = scchost.exe

Thanks again!

Good service you have going there, WWD.

thx you both.and your wellcome! just relaying the alerts i get in email.found them usefull though others would allso.

That's the virus that got me!!!!! don't worry guys, i've already fixed it :) watch out, that virus is very powerfull