A mass-mailing worm that harvests MSN Messenger contact addresses has been deemed a medium risk for home users, but corporate users are at a reduced risk of infection.
W32/[email protected] launches Internet Explorer and connects to various news Web sites displaying images of Bolivian Aymara Indian leader Evo Morales. The Web sites it connects to are:
When run, the worm copies itself to %WINDIR% directory with the following filenames:
Part Hard Disk.exe
Read more at this Network Associates page.
Antivirus software vendor Sophos recognizes the worm as W32/Colevo-A, and says it copies itself to the following files:
W32/Colevo-A will also make certain registry changes. View them and other information at this Sophos page.
According to antivirus software vendor Trend Micro, Worm_Colevo.A propagates by using its own SMTP (Simple Mail Transfer Protocol) engine to send infected email messages to all contacts found in MSN Messenger. The email message it sends out has the following characteristics:
Subject: El adelanto de matrix ta gueno
Oye te ? paso el programa para entrar a cuentas
del messenger Z y facilingo te lo paso a voz nomas,
prometeme que no se lo pasas a nadie, ya?
u Respondeme que tal te parecio. Chau
Technical details are at this Trend Micro page.
Worm Creates Remote Access Point for Hackers to Exploit
This worm is based on the IRC-Sdbot Trojan code. The source code for the IRC-Sdbot Trojan was published on the Internet some time ago, and a number of worms are based on the same code. This is one of those worms. It is detected as IRC-Sdbot with the 4258+ DAT files.
W32/Sdbot spreads via network shares and creates a remote access point for attackers to exploit. When run, it copies itself to the WINDOWS SYSTEM (%sysDir%) directory and creates two registry run keys to load the worm at system startup:
Run “Services Host” = scchost.exe
RunServices “Services Host” = scchost.exe
Read more at this McAfee page.
Compiled by Esther Shein.