Описание
Win32.HLLW.Keco - почтовый червь массовой рассылки. Размер исполняемого модуля червя около 24 килобайт.
Распространение
Червь распространяется по электронной почте используя собственную реализацию протокола SMTP. Почтовое сообщение, инфицированное Win32.HLLW.Keco, обладает следующими характеристиками:
Тема сообщения может отсутствовать, начинаться с символов Re: или Fwd :, или же выбираться из следующего списка тем:
Your details
Your File
Your document
eCard sent to you
My File
Your picture
My picture
You got a pic ?
You got image ?
You got picture?
Pic?
Image?
File?
File!
Document!
The document
Yours
New document
New File
Your ZIP
My private pics
My private files
My private images
My private documents
My private textes
the text
the poem
a Poem
a Text
a Picture
a Image
My Text
My Poem
Did you like my poem?
Did you like my text?
2 Poem
some text
whos picture ?
a Joke
Image of you
Links
profile
your profile
Its me :)
Im back :D
hello dude
whats up?
sup ?
i got a problem
warning, its me
warning, im hot
s--t man :P
haha there you are
ive searched for you :D
wow, im so cool
what you want ?
hey, stop buggin me
is it just me?
great
doesnt matter to me
which u want?
gr8 :)
hahahahahahaha :D
are you jesus? ;D
she said what i was supposed to think :P
Cute, Boring, Love.
cute boring love :P
its whats its all about
i like apple juice
coke just rules done you think ?
i want to trademark
i want to own you
i want you
i want to have you
dont you longing for purity ?
dont you ever gets so sick of territories ?
i am naked
man im nude
dude, im nude
what are you so scared of ?
sick of spam? so am i :/
s--t s--t s--t
do you trust me?
do i trust you?
do you know me?
do i know you?
i eat glass :D
i can walk on the water
this is so sick man :D
check it out, its sick :D
WOW, powerlevel up :D
wow hahaha
wow, if this aint pron, then i dont know what it is
i made a mistake :(
is this a mistake ?
do you have a mistake ?
i made a mistake
are you intrested in making movies?
making movies ?
getting money?
i love money
do you love money?
i got a picture of you and me
i got a picture of you
i got a picture of me
you got a picture of us
you got a picture of me
you got a picture ?
i hate to be singel
i hate to not be lesbian
i hate to be gay
i hate to be a homosexual
i am a lesbian
i hate fags
are you a f-g?
is this right mail?
is this james?
is this kirk?
is this kurt?
is this rutger?
is this stefan?
is this stephen?
is this mary?
is this julie?
is this ?
is ?
want to listen on some music?
oh yea, thats how i like it
how i like it
oh yea
im afraid
im not afraid
im afraid of dieing
im afraid of begin ignore
im afraid of feeling
im not afraid of trying
do you got msn?
do you got icq?
do you got aim?
do you got mail? :D
where is the sky?
i am hiding
noone knows, just u and i
just u and i
U and i
U + I
I + U
i see everything :D
Best i am
I am Best
Am best I
Am i Best
Best Am I
i Best Am
blah blah blah
words, i hate words
w0rd
Вложение может иметь расширение .bat, cmd, .exe, .pif или .scr, а его название выбирается из следующего списка:
1 Update
3 Update
[0]eCard
[1]eCard
A_eCard
Application
Applications
BetaFile
Cigg
CiggSmoke
CiggWeed
Dare
DareWho
Death
Details
Die
DieLive
Document
eCard
eCard_20349
eCard_30042
eCard_30259
FileInfo
FileNews
FileTest
FileText
Image
Images00
Images04
IMG_0345486
IMG_094385
IMG_2186395
IMG_2194864
IMG_2318975
IMG_234502
IMG_2349
IMG_2384063
IMG_34534953
IMG_358996
IMG_567567
IMG_804325
Info
Info_Your
InfoFile
ItsATest
Jpeg_file
JPG Test
Life
Live
LiveDie
Music
MusicPlayer
MusicRar
My Image
My_Details
My_Info
MyImages
NewEmail
NewsFile
Pic Test
Picture0
PictureFile
PictureImageFormat
Pictures
Porn
PornFile
PornPic
PornZip
Profiles
Rar
Rared
RaredDocs
RaredDocuments
RaredJpeg
RaredMusic
RaredPictures
RaredPorn
RaredTexts
RarFile
RarPorn
Raw
Smoke
SmokeCigg
SmokeWeed
Test Pic
TestTest
Testthis
Textfile
TheEmail
ThisFile
Tmp Docu
tmpEMail
tmpFiles
tmpInfo0
tmpInfo1
tmpLogin
tmpPics0
tmpTexts
UrDetail
Weed
WeedCigg
WeedSmoke
WhoDare
WinZipper
Your Doc
Your_Application
Your_CardNumber
Your_Details
Your_eCard
Your_Info
Your_Login
Your_Numbers
Your_Profile
Your_SignIn
YourFile
YourMail
YourTest
YourText
Zip
ZipDoc
ZipFile
Zipped
ZippedDocs
ZippedFiles
ZippedJpeg
ZippedPictures
ZippedPorn
ZippedTexts
Действия
Будучи активированным, червь создает семафор «COKE_DESTROYS_YOUR_BRAIN_5,», чтобы избежать повторного инфицирования своими копиями системы. Далее он помещает в системную директорию Windows (в Windows 9x и Windows ME это C:\\Windows\\System, в Windows NT/2000 это C:\\WINNT\\System32, в Windows XP это C:\\Windows\\System32) свою копию WinShellb.exe и вносит изменения в
реестровую запись
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\
Shell = \"Explorer.exe WinShellb.exe\"
что обеспечивает его запуск при каждом начале работы пользователя в Windows.
В корневой директории диска C:\\ червь создает текстовый файл coke.txt, в котором содержится послание авторам червей Netsky, Beagle, Mydoom.
