A mass-mailing worm that harvests MSN Messenger contact addresses has been deemed a medium risk for home users, but corporate users are at a reduced risk of infection.

W32/Colevo@MM launches Internet Explorer and connects to various news Web sites displaying images of Bolivian Aymara Indian leader Evo Morales. The Web sites it connects to are:

http://jeremybigwood.net
http://news.bbc.co.uk
http://www.commondreams.org/headlines/images/100700-01.jpg
http://www-ni.laprensa.com.ni
http://www.soc.uu.se
http://www.cannabisculture.com
http://www.chilevive.cl
http://membres.lycos.fr
http://news.bbc.co.uk
http://www.movimientos.org


When run, the worm copies itself to %WINDIR% directory with the following filenames:

All Users.exe
command.exe
Hot Girl.scr
hotmailpass.exe
Inf.exe
Internet Download.exe
Internet File.exe
Part Hard Disk.exe
Shell.exe
system.exe
system32.exe
system64.pif
Temp.exe

Read more at this Network Associates page.

Antivirus software vendor Sophos recognizes the worm as W32/Colevo-A, and says it copies itself to the following files:

\command.exe
\Hot Girl.scr
\hotmailpass.exe
\Inf.exe
\Internet download .exe
\Internet File.exe
\Part Hard Disk.exe
\Shell.exe
\system.exe
\System32.exe
\System64.pif
\Temp.exe
\All User\Server.exe
\system32\command.com
\system32\net.com
\system32\www.microsoft.com
\system32\Inf.exe
\menu inicio\programas\inicio\www.microsoft\com
\Evo Morales.scr

W32/Colevo-A will also make certain registry changes. View them and other information at this Sophos page.

According to antivirus software vendor Trend Micro, Worm_Colevo.A propagates by using its own SMTP (Simple Mail Transfer Protocol) engine to send infected email messages to all contacts found in MSN Messenger. The email message it sends out has the following characteristics:

Subject: El adelanto de matrix ta gueno

Message Body:
Oye te ? paso el programa para entrar a cuentas
del messenger Z y facilingo te lo paso a voz nomas,
prometeme que no se lo pasas a nadie, ya?
u Respondeme que tal te parecio. Chau

Attachment: hotmailpass.exe

Technical details are at this Trend Micro page.

Worm Creates Remote Access Point for Hackers to Exploit

This worm is based on the IRC-Sdbot Trojan code. The source code for the IRC-Sdbot Trojan was published on the Internet some time ago, and a number of worms are based on the same code. This is one of those worms. It is detected as IRC-Sdbot with the 4258+ DAT files.

W32/Sdbot spreads via network shares and creates a remote access point for attackers to exploit. When run, it copies itself to the WINDOWS SYSTEM (%sysDir%) directory and creates two registry run keys to load the worm at system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Services Host" = scchost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices "Services Host" = scchost.exe

    • Read more at this McAfee page.

    Compiled by Esther Shein.