Win32/Keco [Threat Name] go to Threat
Win32/Keco.B [Threat Variant Name]
| Category | worm |
| Size | 24064 B |
| Aliases | W32.Keco@mm (Symantec) |
| Win32.HLLW.Keco (Dr.Web) |
Short description
Win32/Keco.B is a worm that spreads via e-mail. The file is run-time compressed using UPX .
Installation
When executed, the worm copies itself into the following location:
- %system%\WinShellb.exe
The worm modifies the following file:
- %windir%\system.ini
The following Registry entry is set:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Shell" = "Explorer.exe WinShellb.exe"
This causes the worm to be executed on every system start.
Spreading via e-mail
Win32/Keco.B is a worm that spreads via e-mail.
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
- *.*txt*
- *.*doc*
- *.*vbs*
- *.*nfo*
- *.*tml*
- *.*htm*
- *.*asp*
- *.*php*
- *.*pl*
- *.*adb*
- *.*cgi*
- *.*dbx*
- *.*eml*
- *.*msg*
- *.*oft*
- *.*rtf*
- *.*sht*
- *.*wab*
The attachment is an executable of the worm.
Its filename is one of the following:
- [1]eCard
- [0]eCard
- Document
- YourFile
- Your Doc
- Textfile
- Profiles
- Tmp Docu
- ThisFile
- YourText
- 1 Update
- 3 Update
- UrDetail
- NewEmail
- YourMail
- TheEmail
- tmpEMail
- tmpTexts
- tmpFiles
- tmpLogin
- tmpInfo0
- tmpInfo1
- tmpPics0
- Picture0
- Pictures
- Images00
- Images04
- MyImages
- My Image
- FileInfo
- InfoFile
- NewsFile
- FileNews
- FileTest
- FileText
- Testthis
- BetaFile
- TestTest
- ItsATest
- Test Pic
- Pic Test
- YourTest
- JPG Test
- Application
- Applications
- Details
- Your_Details
- My_Details
- Your_Profile
- Your_eCard
- A_eCard
- eCard
- eCard_30042
- eCard_30259
- eCard_20349
- Music
- MusicPlayer
- WinZipper
- ZipFile
- ZippedFiles
- ZipDoc
- ZippedDocs
- ZippedTexts
- ZippedPictures
- RaredDocs
- RaredPictures
- RaredTexts
- RaredDocuments
- Image
- IMG_094385
- IMG_234502
- IMG_358996
- IMG_567567
- IMG_804325
- IMG_2318975
- IMG_2186395
- IMG_2194864
- IMG_0345486
- IMG_2384063
- IMG_34534953
- IMG_2349
- Jpeg_file
- ZippedJpeg
- Zipped
- RarFile
- Rared
- RaredJpeg
- RaredMusic
- MusicRar
- Your_Application
- Your_Numbers
- Your_Login
- Your_SignIn
- Your_CardNumber
- Your_Info
- Info
- My_Info
- Info_Your
- PornFile
- PornZip
- ZippedPorn
- RarPorn
- RaredPorn
- Porn
- PornPic
- PictureFile
- PictureImageFormat
- LiveDie
- DieLive
- Live
- Life
- Death
- Smoke
- Weed
- Cigg
- WeedSmoke
- SmokeWeed
- CiggSmoke
- SmokeCigg
- CiggWeed
- WeedCigg
- Dare
- WhoDare
- DareWho
The extension of the file is ".ZIP" .
The sender's address is spoofed.
Subject of the message is one of the following:
- Your details
- Your File
- Your document
- eCard sent to you
- My File
- Your picture
- My picture
- You got a pic ?
- You got image ?
- You got picture?
- Pic?
- Image?
- File?
- File!
- Document!
- The document
- Yours
- New document
- New File
- Your ZIP
- My private pics
- My private files
- My private images
- My private documents
- My private textes
- the text
- the poem
- a Poem
- a Text
- a Picture
- a Image
- My Text
- My Poem
- Did you like my poem?
- Did you like my text?
- 2 Poem
- some text
- whos picture ?
- a Joke
- Image of you
- Links
- profile
- your profile
- Its me :)
- Im back :D
- hello dude
- whats up?
- sup ?
- i got a problem
- warning, its me
- warning, im hot
- shit man :P
- haha there you are
- ive searched for you :D
- wow, im so cool
- what you want ?
- hey, stop buggin me
- is it just me?
- great
- doesnt matter to me
- which u want?
- gr8 :)
- hahahahahahaha :D
- are you jesus? ;D
- she said what i was supposed to think :P
- Cute, Boring, Love.
- cute boring love :P
- its whats its all about
- i like apple juice
- coke just rules done you think ?
- i want to trademark
- i want to own you
- i want you
- i want to have you
- dont you longing for purity ?
- dont you ever gets so sick of territories ?
- i am naked
- man im nude
- dude, im nude
- :P
- :)
- -
- :-)
- ;-)
- =)
- >=)
- ;D
- what are you so scared of ?
- sick of spam? so am i :/
- shit shit shit
- do you trust me?
- do i trust you?
- do you know me?
- do i know you?
- i eat glass :D
- i can walk on the water
- this is so sick man :D
- check it out, its sick :D
- WOW, powerlevel up :D
- wow hahaha
- wow, if this aint pron, then i dont know what it is
- i made a mistake :(
- is this a mistake ?
- do you have a mistake ?
- i made a mistake
- are you intrested in making movies?
- making movies ?
- getting money?
- i love money
- do you love money?
- i got a picture of you and me
- i got a picture of you
- i got a picture of me
- you got a picture of us
- you got a picture of me
- you got a picture ?
- i hate to be singel
- i hate to not be lesbian
- i hate to be gay
- i hate to be a homosexual
- i am a lesbian
- i hate fags
- are you a fag?
- is this right mail?
- is this james?
- is this kirk?
- is this kurt?
- is this rutger?
- is this stefan?
- is this stephen?
- is this mary?
- is this julie?
- is this ?
- is ?
- want to listen on some music?
- oh yea, thats how i like it
- how i like it
- oh yea
- im afraid
- im not afraid
- im afraid of dieing
- im afraid of begin ignore
- im afraid of feeling
- im not afraid of trying
- do you got msn?
- do you got icq?
- do you got aim?
- do you got mail? :D
- where is the sky?
- i am hiding
- noone knows, just u and i
- just u and i
- U and i
- U + I
- I + U
- i see everything :D
- %space%
- Best i am
- I am Best
- Am best I
- Am i Best
- Best Am I
- i Best Am
- blah blah blah
- words, i hate words
- w0rd
Body of the message is one of the following:
- Can you please test this?
- test
- Test ?
- Is it working?
- Check the attachment :)
- Attachment :)
- Test the attachment :)
- Ive added your files
- This is my pics
- Pics
- Pictures :)
- Ive added some texts
- Ive added a text
- Ive added some documents
- Ive added some pics
- Ive added some tools
- Ive added some files
- Ive added a document
- Ive added a picture
- Ive added a image
- Ive added a file
- Check out your eCard
- Someone sent you a eCard
- You got a eCard
- Its a eCard for you
- Its a present
- Look :)
- Attachment
- Open the attachment :D
- Check the file
- Check the added file
- Look at the added file
- Please, i cant find the error, can you check the file
- Ive sent your document
- Is this kirk? if so i added our pictures
- Is this george? if so ive added the pictures ;)
- Its pcitures of me
- What you like the picture?
- What you like the file ?
- Got this ?
- You have this ?
- Can you tell me what you think of it?
- Look what a funny game i found :)
- A funny game
- ive added a screensaver for you
- a screensaver, for you :)
- Images of us last year
- Do you remember these images ?
- do you remember these pictures ?
- Do you still have this file ?
- I send the file you asked about
- The file you asked about
- Your file
- Your textfile
- Your image
- eCard picture.
Information stealing
The worm collects the following information:
- network parameters
- proxy server settings
The worm attempts to send gathered information to a remote machine.
The worm contains a list of (4) URLs. The HTTP protocol is used.
Other information
The worm can download and execute a file from the Internet.
The file is stored in the following location:
- C:\coke%variable%
A string with variable content is used instead of %variable% .
The worm may display the following message:
- "Now this will try to send a mail to Askel ;D"
The worm creates the following files:
- C:\Coke.txt
It contains the following text:
- Coke worm is here [Version 2 :)]
- Coke worm is here to join the party
- Notice to others :
- %censored% you Bagel Your just a lucky ScriptKiddie
- %censored% you MyDoom Your just a %censored%
- %censored% you SkyNet You had luck to get into F-Sec mail-list, nothing special tho.
- The virus-scene lost a great coder. Later Benny/29A
- You cant code worms, your not worth to be called coders.
- You lame %censored%.