W32/Keco.worm, WORM_KECO.A, Win32.Keco.A, I-Worm.Keco
Email-Worm.Win32.Keco.e, I-Worm.Keco.e, W32/Keco.worm.gen
Category: Computer Worm
North America, South America, Asia, Europe, some parts of Africa and Australia
08 Mar 2004
The [email protected]
malware is a mass mailing worm that may also exhibit some backdoor capabilities. This worm propagates by using its own Simple Mail Transfer Protocol or SMTP engine. It will email its code to all addresses it can locate in the infected computer system. The email’s subject will vary and the infected attachment will in the .ZIP file extension.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Once the worm is run in the compromised computer, it will copy itself to the system as an executable file. It will alter the registry and modify the boot section’s line of the file System.ini to make sure that it will executed when Windows is launched. It will then go on to create a mutex so that only a single instance of the malware is running at any given time and display a pop-up dialog box. This worm will likewise create a .TXT file that will contain offensive messages to other worm authors. Next, it will again make copies of itself with the extensions .exe, .cmd, .scr, .com, .pif and .bat and then create a ZIP file out of the created files. It then creates an email message with varying subjects and a ZIP file as attachment.
This security risk can also sequentially open the 1025 and above TCP ports. It also tries to establish a connection with a predetermined IRC server that uses the 6667 TCP port. The usernames will also vary but will always end with the domain,@foo.bar. To purge this security threat’s infection, open the Windows Task Manager and end the malware program’s process. Locate the malicious file WinShellb.exe and all files associated to the malware in the Processes Tab and then click End Process. All registry entries made the worm will also have to be deleted. Go to the System Configuration Editor by going to Start, then Run, type in SYSEDIT, and then enter. In the editor, choose the window SYSTEM.INI and then find the line Shell="Explorer.exe WinShellb.exe." exe in the same line and then delete it.