Cosol is a worm virus spreading via the Internet as an email attachment. This worm also has a backdoor and key-spy routines.
The worm itself is a Windows PE EXE file about 355Kb in size (compressed by UPX, its decompressed size is about 675Kb), written in Delphi.
The infected messages have an attached EXE file with a name randomly selected from the following variants:
The message body is also randomly selected from several variants:
Cosa activates from infected emails only when a user clicks on the attached file. The worm then installs itself into the system and runs the spreading, backdoor and key-spy routines.
During installation the worm creates the following files in the Windows directory:
Cosa registers the following files in the system registry auto-run key:
The worm also creates and runs a decoy program:
A subdirectory (subdirs) is created in the Windows directory and is where Cosol writes its temporary files:
The key-spy routine logs all keys pressed on the keyboard and sends this information to the “master” computer with remote access.