Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

WORM_KECO.A

Mar 7, 2004 1:29AM PST

Virus type: Worm

Destructive: No

Description:


This memory-resident worm uses its own SMTP engine to propagate via email with varrying subjects, message bodies, and attachment file names.

It gathers target email addresses from certain files found in the hard drive.

It also connects to a particular Internet Relay Chat (IRC) server on port 6667. It uses random nicknames and email addresses, which have the suffix @foo.bar.

It performs the following tasks:

Drop a copy of itself as the file WINSHELLB.EXE in the Windows system folder
Create the mutex COKE_DESTROYS_YOUR_BRAIN_5 to ensure that only one instance of itself exists in memory
Display a message box, which allows it to proceed to its malicious routines
Query the local DNS server using port 53, and other external DNS servers for a mail exchange that matches the domain of the recipient?s email address
This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_KECO.A

Discussion is locked