Malware type: Worm

Aliases: Win32.Coronex.A, W32/Coronex.worm, W32/Coronex-A, W32.Coronex@mm, I-Worm.Coronex, Coronex

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, NT, ME, 2000, XP

Encrypted: No

Description: 

This worm takes advantage of the current concern surrounding SARS. It arrives attached on email messages that refer to the health issue.

This fast mass-mailer sends copies of itself via email to all the addresses listed in the Windows Address Book (WAB). It sends email using its own SMTP or Simple Mail Transfer Protocol engine.

It sends out email with the following details:

From: sars@hotmail.com/sars2@hotmail.com
Subject: Severe Acute Respiratory Syndrome
Message body:
Attachment: sars.exe

From: sars2@hotmail.com
Subject: I need your help
Message body: Severe Acute Respiratory Syndrome
Attachment: corona.exe

From: corona@hotmail.com
Subject: Virus Alert!
Message body: SARS Virus
Attachment: virus.exe

From: virus@yahoo.com
Subject: Corona Virus
Message body: honk kong
Attachment: hongkong.exe

From: deaths@china.com
Subject: deaths virus
Message body:
Attachment: deaths.exe

From: virus@china.com
Subject: SEE Ya
Message body:
Attachment: sars2.exe

From: virus2@china.com
Subject: SARS Virus
Message body: SARS Corona Virus
Attachment: cv.exe

This worm also modifies the Internet Explorer home page to the following address:

http://www.who.int/csr/don/2003_04_19/en/

The site is a legitimate site on SARS.

It also displays the following message box.

This worm is written in assembly and runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 24, 2003 12:06:38 AM GMT -0800
Description updated: Apr. 24, 2003 4:01:47 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.