Weekly Virus Report – Coronex, Opex, Tavo and Morb Worms

This week’s virus report will focus on four worms, including Coronex, which uses as bait the chronic pneumonia outbreak that has claimed over 200 victims throughout the world, and a Trojan called Alor.

Coronex spreads rapidly via e-mail and through the P2P (peer-to-peer) file-sharing applications in a message that uses the Severe Acute Respiratory Syndrome (SARS) outbreak to get the user’s attention. Coronex reaches computers in an attached file, whose name -“CORONA.EXE”, “CV.EXE”, “DEATHS.EXE”, “HONGKONG.EXE”, “SARS.EXE”, “SARS2.EXE” and “VIRUS.EXE”-, etc. refers to the disease or the corona virus that causes it. The texts that appear in the subject and message body also refer to SARS.

When the attached file is run, Coronex sends itself out to all the contacts in the address book on the affected computer, where it also copies the attached file under a name that refers to a famous computer game, such as Command & Conquer, Doom, The Lord Of The Rings, The Sims, Unreal, etc. By doing this, the worm tries to make users of file-sharing programs believe that it is a computer game, so that they download it and help it to spread.

The second worm in today’s report is Opex, which spreads through the P2P file-sharing programs KaZaA, eDonkey and Morpheus. In order to do this, it creates a large number of copies of itself in the default shared directories of these programs and in a random folder in the My Documents directory. The names of these files refer to IT applications, games, screensavers, etc. By doing this, other users will download copies of the virus to their computer, thinking that they are downloading utilities.

The third worm is Tavo, which reaches computers in an e-mail message with the subject “Saludos” and an attachment called “IESRACK.VBS”, although it can also spread through infected floppy disks. When infection has been carried out, Tavo sends itself out to all the contacts in Outlook’s Address Book.

If the system date is the 11th, Tavo displays a message on screen, while on December 1 it deletes all the files in the My Documents folder and on the 9th of the month it writes “Danger!… I’m New FeLiNo GZ.LyoN” in the active text files. Furthermore, every eight minutes, Tavo checks if there is a floppy disk in the disk drive that is not write-protected. On finding one, the worm copies itself to it and as a result, if the disk is used on another computer, it will automatically infect it.

The final worm is Morb, which spreads rapidly via e-mail, IRC chat channels and KaZaA, the P2P file sharing application. When it has infected the computer, it replies to all the messages in the Inbox with a message that contains an infected file. Morb also drops a backdoor Trojan in the computer, which opens the communications port 81 and sends a message to all the IRC users connected to the same channel as the infected user.

We are going to close this week’s report with Alor, which is a backdoor Trojan that allows a hacker to gain remote access to the affected computer via a TCP/IP connection through port 12345. A hacker who managed to gain remote access to the victim computer would be able to set a password and carry out several actions including accessing confidential information stored on the computer, opening and closing the CD-ROM or DVD tray and enabling or disabling Windows Task Manager.