[cut-n-paste from sophos.com]

W32/Kullan-A

Aliases
W32.HLLW.Kullan, TROJ_TAMPONAI.A, Worm.Win32.Kullan

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Kullan-A is a complex worm with backdoor functionality that targets 
available network shared resources.

When executed the worm copies itself to the Windows system folder with 
the filename Services.exe and sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

or

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run

and adds the full path to Services.exe to:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

Running as a background process the worm uses the "net view" command to 
be able to drop a copy of itself to the Start Menu folder of the 
available computer using the computer name as a filename.

As a backdoor the worm provides access to confidential information such 
as OS type, keystroke logs and email details.

W32/Kullan-A may also change the Win.ini and System.ini files to make 
sure the worm will be executed at the next restart.





W32/Cailont-A

Aliases
Nolor

Type
Win32 worm

Detection
At the time of writing Sophos has received just one report of this worm 
from the wild.

Description
W32/Cailont-A is an internet worm which sends itself out by email.

W32/Cailont-A creates seven files in your system folder. The files 
explorer.exe, kernel32.exe, netdll.dll and serscg.dll are copies of the 
worm. The file setup.htm is a web page containing a Visual Basic Script 
which creates and launches the worm (this identity detects this file as 
VBS/Cailont-A). The files Netsn.dll and Bsbk.dll are raw base64-encoded 
copies of the worm and script files (these files are harmless on their 
own and can be deleted).

W32/Cailont-A adds the value:

explorer = "\SYSTEM\FOLDER\explorer.exe"

to the registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

This means that the worm will run automatically every time you start 
your computer.

W32/Cailont-A sends emails with the following characteristics:

Subject line: Re:baby!your friend send this file to you !
Message text: Read this file

Subject line: HELP??-
Message text: Help...

Subject line: Re:Get Password mail...
Message text: Enjoy

Subject line: Re:Get Password mail...
Message text: Read File attach .

Subject line: Re:Binladen_Sexy.jpg
Message text: run File Attach to extract:BinladenSexy.jpg...

Subject line: The Sexy story and 4 sexy picture of BINLADEN !
Message text: Enjoy! BINLADEN:SEXY..

Subject line: Re:I Love You...OKE!
Message text: Souvenir for you from file attach...

Subject line: A Greeting-card for you .
Message text: See the Greeting-card .

Subject line: Re:Kiss you..^{at}^
Message text: Read file attach

Subject line: Guide to fuck ...
Message text: I like Sexy with you.

Subject line: Re:Baby! 2000USD,Win this game...
Message text: Play the game from file attach

Subject line: Help
Message text: Help.

W32/Cailont-A names its attachment:

xxx.KISS.OK.EXE

or:

xxx.HTM

where xxx varies from email to email.





W32/Coronex-A

Aliases
I-Worm.Coronex.a, W32/Coronex.worm, Win32/Sars.A, W32.Coronex{at}mm, 
WORM_CORONEX.A

Type
Win32 worm

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description
W32/Coronex-A is an internet worm which emails itself to every contact 
in the Windows address book.

The email characteristics vary depending upon the current day of the 
week, as follows:

Sender address: sars{at}hotmail.com
Subject line: Severe Acute Respiratory Syndrome
Attached file: sars.exe

Sender address: sars2{at}hotmail.com
Subject line: I need your help
Message text: Severe Acute Respiratory Syndrome
Attached file: corona.exe

Sender address: corona{at}hotmail.com
Subject line: Virus Alert!
Message text: SARS Virus
Attached file: virus.exe

Sender address: virus{at}yahoo.com
Subject line: Corona Virus
Message text: honk kong
Attached file: hongkong.exe

Sender address: deaths{at}china.com
Subject line: deaths virus
Attached file: deaths.exe

Sender address: virus{at}china.com
Subject line: SEE Ya
Attached file: sars2.exe

Sender address: virus2{at}china.com
Subject line: SARS Virus
Message text: SARS Corona Virus
Attached file: cv.exe

When first run, the worm displays a message box with the text "SARS 
Virus, corona virus", copies itself to the Windows folder as Corona.exe 
and creates the following registry entry so that corona.exe is run 
automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PC-Config32
= %WINDOWS%\corona.exe -A

The worm copies itself to the C:\My Downloads folder using 1 of the 24 
filenames listed below, depending upon the current hour of the day:

Age Of Mythology.exe
Battlefield 1942 (full).exe
Black Hawk Down (full).exe
Command & Conquer: Generals.exe
Cossacks Full Version.exe
Dark Age of Camelot.exe
Doom 3.exe
Grand Theft Auto 3 (full).exe
Jedi Knight II.exe
Master Of Orion 3.exe
Medel Of Honor: Allied Assault.exe
Oni full.exe
Quake 3 Full Version.exe
Rainbow 6 Full.exe
Return to Castle Wolfenstien (Full).exe
Starcraft full.exe
The Lord of the Rings.exe
The Sims: Unleashed.exe
Tribes 2 (full).exe
Ultima Online.exe
Unreal 2: The Awakening (full).exe
Unreal.exe
Warcraft III Full.exe
White and Black.exe

When run with a -A command line switch (i.e. on startup), the worm runs 
continuously in the background and emails itself when the time is 1 
minute past any hour.

The worm also changes the start page for Microsoft Internet Explorer by 
setting the registry entry

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
= http://www.who.int/csr/don/2003_04_19/en

 
--- MultiMail/Win32 v0.43