Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Win32.HLLW.Keco

(W32/Keco.worm.gen, I-Worm/Keco.B, Email-Worm.Win32.Keco.b, W32.Keco@mm, Backdoor.Delf.31, Win32/Keco.A@mm, New Malware.j, System error, Win32.Keco.A, Win32.Keco.F@mm, Parser error, Worm/Keco.A.2, I-Worm/Keco.F, Win32/Keco!Worm, Win32/Keco.F@mm, Email-Worm.Win32.Keco.f, WORM_KECO.GEN, TR/Dldr.Delphi.Gen, WORM_KECO.A, Win32/Keco.A!Worm)

Added to the Dr.Web virus database: 2005-04-22

Virus description added:

Description

Win32.HLLW.Keco is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the executable module of the worm is around 24 Kb.

Spreading

The worm disseminates via e-mail using its own SMTP engine. The mail message infected with the worm may look as follows:

The subject may be empty or begin with Re: or Fwd :, or it may be chosen from the following list:

     Your details 
     Your File 
     Your document 
     eCard sent to you 
     My File 
     Your picture 
     My picture 
     You got a pic ? 
     You got image ? 
     You got picture? 
     Pic? 
     Image? 
     File? 
     File! 
     Document! 
     The document 
     Yours 
     New document 
     New File 
     Your ZIP 
     My private pics 
     My private files 
     My private images 
     My private documents 
     My private textes 
     the text 
     the poem 
     a Poem 
     a Text 
     a Picture 
     a Image 
     My Text 
     My Poem 
     Did you like my poem? 
     Did you like my text? 
     2 Poem 
     some text 
     whos picture ? 
     a Joke 
     Image of you 
     Links 
     profile 
     your profile 
     Its me :) 
     Im back :D 
     hello dude 
     whats up? 
     sup ? 
     i got a problem 
     warning, its me 
     warning, im hot 
     s--t man :P 
     haha there you are 
     ive searched for you :D 
     wow, im so cool 
     what you want ? 
     hey, stop buggin me 
     is it just me? 
     great 
     doesnt matter to me 
     which u want? 
     gr8 :) 
     hahahahahahaha :D 
     are you jesus? ;D 
     she said what i was supposed to think :P 
     Cute, Boring, Love. 
     cute boring love :P 
     its whats its all about 
     i like apple juice 
     coke just rules done you think ? 
     i want to trademark 
     i want to own you 
     i want you 
     i want to have you 
     dont you longing for purity ? 
     dont you ever gets so sick of territories ? 
     i am naked 
     man im nude 
     dude, im nude 
     what are you so scared of ? 
     sick of spam? so am i :/ 
     s--t s--t s--t 
     do you trust me? 
     do i trust you? 
     do you know me? 
     do i know you? 
     i eat glass :D 
     i can walk on the water 
     this is so sick man :D 
     check it out, its sick :D 
     WOW, powerlevel up :D 
     wow hahaha 
     wow, if this aint pron, then i dont know what it is 
     i made a mistake :( 
     is this a mistake ? 
     do you have a mistake ? 
     i made a mistake 
     are you intrested in making movies? 
     making movies ? 
     getting money? 
     i love money 
     do you love money? 
     i got a picture of you and me 
     i got a picture of you 
     i got a picture of me 
     you got a picture of us 
     you got a picture of me 
     you got a picture ? 
     i hate to be singel 
     i hate to not be lesbian 
     i hate to be gay 
     i hate to be a homosexual 
     i am a lesbian 
     i hate fags 
     are you a f-g? 
     is this right mail? 
     is this james? 
     is this kirk? 
     is this kurt? 
     is this rutger? 
     is this stefan? 
     is this stephen? 
     is this mary? 
     is this julie? 
     is this ? 
     is ? 
     want to listen on some music? 
     oh yea, thats how i like it 
     how i like it 
     oh yea 
     im afraid 
     im not afraid 
     im afraid of dieing 
     im afraid of begin ignore 
     im afraid of feeling 
     im not afraid of trying 
     do you got msn? 
     do you got icq? 
     do you got aim? 
     do you got mail? :D 
     where is the sky? 
     i am hiding 
     noone knows, just u and i 
     just u and i 
     U and i 
     U + I 
     I + U 
     i see everything :D 
     Best i am 
     I am Best 
     Am best I 
     Am i Best 
     Best Am I 
     i Best Am 
     blah blah blah 
     words, i hate words 
     w0rd
   

The attachment may have an exetension .bat, cmd, .exe, .pif or .scr, its name is chosen from the following list:

 1 Update 
 3 Update 
 [0]eCard 
 [1]eCard 
 A_eCard 
 Application 
 Applications 
 BetaFile 
 Cigg 
 CiggSmoke 
 CiggWeed 
 Dare 
 DareWho 
 Death 
 Details 
 Die 
 DieLive 
 Document 
 eCard 
 eCard_20349 
 eCard_30042 
 eCard_30259 
 FileInfo 
 FileNews 
 FileTest 
 FileText 
 Image 
 Images00 
 Images04 
 IMG_0345486 
 IMG_094385 
 IMG_2186395 
 IMG_2194864 
 IMG_2318975 
 IMG_234502 
 IMG_2349 
 IMG_2384063 
 IMG_34534953 
 IMG_358996 
 IMG_567567 
 IMG_804325 
 Info 
 Info_Your 
 InfoFile 
 ItsATest 
 Jpeg_file 
 JPG Test 
 Life 
 Live 
 LiveDie 
 Music 
 MusicPlayer 
 MusicRar 
 My Image 
 My_Details 
 My_Info 
 MyImages 
 NewEmail 
 NewsFile 
 Pic Test 
 Picture0 
 PictureFile 
 PictureImageFormat 
 Pictures 
 Porn 
 PornFile 
 PornPic 
 PornZip 
 Profiles 
 Rar 
 Rared 
 RaredDocs 
 RaredDocuments 
 RaredJpeg 
 RaredMusic 
 RaredPictures 
 RaredPorn 
 RaredTexts 
 RarFile 
 RarPorn 
 Raw 
 Smoke 
 SmokeCigg 
 SmokeWeed 
 Test Pic 
 TestTest 
 Testthis 
 Textfile 
 TheEmail 
 ThisFile 
 Tmp Docu 
 tmpEMail 
 tmpFiles 
 tmpInfo0 
 tmpInfo1 
 tmpLogin 
 tmpPics0 
 tmpTexts 
 UrDetail 
 Weed 
 WeedCigg 
 WeedSmoke 
 WhoDare 
 WinZipper 
 Your Doc 
 Your_Application 
 Your_CardNumber 
 Your_Details 
 Your_eCard 
 Your_Info 
 Your_Login 
 Your_Numbers 
 Your_Profile 
 Your_SignIn 
 YourFile 
 YourMail 
 YourTest 
 YourText 
 Zip 
 ZipDoc 
 ZipFile 
 Zipped 
 ZippedDocs 
 ZippedFiles 
 ZippedJpeg 
 ZippedPictures 
 ZippedPorn 
 ZippedTexts
 
 
     

Action

Being executed, the worm creates a mutex «COKE_DESTROYS_YOUR_BRAIN_5,» in order to avoid repeated infections with its copies. Then, it drops it copy WinShellb.exe to the Windows\\\\System folder (in Windows 9x/ME it’s C:\\\\Windows\\\\System, in Windows NT/2000 it’s C:\\\\WINNT\\\\System32, in Windows XP it’s C:\\\\Windows\\\\System32) and makes changes in the registry entry
HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\
Shell = \\\"Explorer.exe WinShellb.exe\\\"

thus securing its execution at every system restart. It creates a text file coke.txt in the root folder of the C drive. Te file contains a message to Netsky, Beagle, Mydoom virus authors.