Virus Profile: W32/Coronex.worm.gen

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/22/2003
Date Added: 4/22/2003
Origin: Unknown
Length: 12,288 bytes
Type: Virus
Subtype: E-mail
DAT Required: 4259
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Presence of the files and registry keys detailed above.

Methods of Infection

When executed, the worm propagates itself to all addresses found in the Windows address book using its own SMTP engine. The worm copies itself to the %WINDIR% folder, modifying the Registry to run this copy at subsequent startup.

Aliases

I-Worm.Coronex, W32.Coronex@mm
   

Virus Characteristics

This is a mass-mailing worm, which simply spreads via email. It does not contain a destructive payload. The worm sends itself to all addresses in the Windows address book.

It arrives as an email attachment. The message may be one of the following:

From: sars@hotmail.com
Subject: SARS
Message: Severe Acute Respiratory Syndrome
Attachment: Sars.exe

From: sars2@hotmail.com
Subject: I need your help
Message: Severe Acute Respiratory Syndrome
Attachment: Corona.exe

From: corona@hotmail.com
Subject: Virus Alert!
Message: SARS Virus
Attachment: Virus.exe

From: virus@yahoo.com
Subject: Corona Virus
Message: honk kong
Attachment: Hongkong.exe

From: deaths@china.com
Subject: bye
Message: deaths virus
Attachment: Deaths.exe

From: virus@china.com
Subject: SARS
Message: SEE Ya
Attachment: Sars2.exe

From: Virus2@china.com
Subject: SARS Virus
Message: SARS Corona Virus
Attachment: Cv.exe

When the attachment is executed, the worm will perform the following actions:

  • It drops a copy of itself in the %WINDIR% directory.
  • Displays a message box.

    [SARS Virus: Corona Virus]

  • Creates a key to run itself during startup

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "PC-Config32" = C:\%WINDIR%\corona.exe -A

  • Changes the default browser start page:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Start Page" = http://www.who.int/csr/don/2003_04_19/en

  • Looks for "C:\My Downloads" and drops a copy of itself there using one of the following filenames (randomly chosen):
    • Cossacks Full Version.exe
    • Cossacks Full Version.exe
    • Battlefield 1942 (full).exe
    • Warcraft III Full.exe
    • Jedi Knight II.exe
    • Quake 3 Full Version.exe
    • Starcraft full.exe
    • Doom 3.exe
    • Tribes 2 (full).exe
    • Rainbow 6 Full.exe
    • Oni full.exe
    • White and Black.exe
    • Return to Castle Wolfenstien (Full).exe
    • Command & Conquer: Generals.exe
    • Black HawkDown (full).exe
    • The Sims: Unleashed.exe
    • Age Of Mythology.exe
    • Dark Age of Camelot.exe
    • Ultima Online.exe
    • The Lord of the Rings.exe
    • Medel of Honor: Allied Assualt.exe
    • Grand Theft Auto 3 (full).exe
    • Unreal 2: The Awakening (full).exe
    • Unreal.exe
    • Master Of Orion.exe

    Please note: The copies of the worm may vary in file size due to garbage being appended to the end of the file. The virus may also attempt to drop a zero byte file in the same directory that it was executed.

  • Mails itself to addresses listed in the Windows address book. The worm uses its own SMTP engine to construct the aforementioned messages.
   

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations