Email-Worm.Win32.Cosol

Class Email-Worm
Platform Win32
Description

Technical Details

Cosol is a worm virus spreading via the Internet as an email attachment. This worm also has a backdoor and key-spy routines.

The worm itself is a Windows PE EXE file about 355Kb in size (compressed by UPX, its decompressed size is about 675Kb), written in Delphi.

The infected messages have an attached EXE file with a name randomly selected from the following variants:

  • cosol.exe
  • mirch.exe
  • myprog.exe
  • Anti.exe
  • projekt2.exe
  • eb.exe
  • Vis.exe
  • msn.exe
  • Buch.exe
  • Tach.exe

  • The message body is also randomly selected from several variants:

  • Heloo!!!
    I send you this program
    I think you like it

  • Hi!,
    This is my Cool program
    run this program, you mast like

  • Have do you do!!!
    I sent this program, special for you.
    Take the atachment and run!!!

  • Cosa activates from infected emails only when a user clicks on the attached file. The worm then installs itself into the system and runs the spreading, backdoor and key-spy routines.

    During installation the worm creates the following files in the Windows directory:

  • DC220.EXE – worm copy
  • BIOS.EXE – one more worm copy
  • CSOLP.EXE – worm component

  • Cosa registers the following files in the system registry auto-run key:

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
    rundll = %WindowsDir%DC220.exe

  • HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
    rundll32 = %WindowsDir%csolp.exe

  • The worm also creates and runs a decoy program:

    Program FilesCommon FilesRASKR.EXE

    A subdirectory (subdirs) is created in the Windows directory and is where Cosol writes its temporary files:

  • syssend
  • sysmai
  • sysem
  • Backdoor
    The backdoor routine enables remote operation of an infected computer. It also reports disk and file information, creates, deletes and executes files, sends master files from the infected computer to the “master” comptuer, looks for password files (including WebMoney files) and sends them as well to the “master” computer with remote operation access. Files affected by the backdoor routine:

    *.kwm
    *.mag
    *.pwl
    *.pwm
    *R��??*.txt
    *pass*.txt
    *? �R’�*.txt
    *R� �??*.exl
    *R��??*.exl
    *pass*.exl
    *? �R’�*.exl

    The key-spy routine logs all keys pressed on the keyboard and sends this information to the “master” computer with remote access.