i-worm.coso
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Cosol
Cosol is a worm virus spreading via the Internet as an email attachment. This worm also has a backdoor and key-spy routines.
The worm itself is a Windows PE EXE file about 355Kb in size (compressed by UPX, its decompressed size is about 675Kb), written in Delphi.
The infected messages have an attached EXE file with a name randomly selected from the following variants:
cosol.exe
mirch.exe
myprog.exe
Anti.exe
projekt2.exe
eb.exe
Vis.exe
msn.exe
Buch.exe
Tach.exe
The message body is also randomly selected from several variants:
Heloo!!!
I send you this program
I think you like it
Hi!,
This is my Cool program
run this program, you mast like
Have do you do!!!
I sent this program, special for you.
Take the atachment and run!!!
Cosa activates from infected emails only when a user clicks on the attached file. The worm then installs itself into the system and runs the spreading, backdoor and key-spy routines. During installation the worm creates the following files in the Windows directory:
DC220.EXE - worm copy
BIOS.EXE - one more worm copy
CSOLP.EXE - worm component
Cosa registers the following files in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
rundll = %WindowsDir%\DC220.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
rundll32 = %WindowsDir%\csolp.exe
The worm also creates and runs a decoy program:
Program Files\Common Files\RASKR.EXE
A subdirectory (subdirs) is created in the Windows directory and is where Cosol writes its temporary files:
\sys\send\
\sys\mai\
\sys\em\
Backdoor
The backdoor routine enables remote operation of an infected computer. It also reports disk and file information, creates, deletes and executes files, sends master files from the infected computer to the "master" comptuer, looks for password files (including WebMoney files) and sends them as well to the "master" computer with remote operation access. Files affected by the backdoor routine:
*.kwm
*.mag
*.pwl
*.pwm
*R??*.txt
*pass*.txt
*? R'*.txt
*R ??*.exl
*R??*.exl
*pass*.exl
*? R'*.exl
The key-spy routine logs all keys pressed on the keyboard and sends this information to the "master" computer with remote access.
Copyright @2006 i-worm.coso