W32.Cone - hello.exe (C)

tasklist.org		A comprehensive list of processes running in your computer
		tasklist \| attachlist

bookmark this website!		total tasks: 16297

AttachList is a list of email attachment files that viruses usually send in email. It contains the attached file names, typical subjects and messages, the name of the viruses that send them, and instruction on how to remove these viruses.

most requested

Browse attachlist by file name:

| a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w | x | y | z |

Name: W32.Cone

Sender:

Spoofed.
(Spoofed)@yahoo.com (E)

Subject:

(name), What you have to say? (BE)
about you (CD)
BREAKING NEWS: US begin the war against IRAN! (ABE)
Confidential user information! (CD)
How cute is your credit card number!! :)) (CD)
E-mail account disabling warning for (name) (CD)
Hi (D)
I found a virus in your message (F)
i have your password :) (CD)
IMPORTANT (name)! (CD)
I recieved a message from you containing Mydoom (F)
I WILL KILL (name) (ABE)
Large amount of W32.Mydoom.H outgoing from your email (F)
MAILER-DAEMON@%s (E)
Mail Delivery System ((name)) (BCDE)
Mail Transaction Failed ((name)) (BCDE)
Mydoom.H in attachment of your message (F)
news@bbc.co.uk (E)
Norton Antivirus detected W32.Mydoom.H in your mail (F)
Password Reset For (name) (BCDE)
RE: (name) (C)
Re: Details ((name)) (BCDE)
RE: Thank You! (CD)
RE: the attachment is in the SKY [weN] (D)
Thank You (name)! (ABE)
The attachment is in the SKY [weN] (D)
Undelivered Mail Returned to Sender ((name)) (BCDE)
Virus detected in your mail (F)
W32.Mydoom.H in your mail (F)
WARNING: (name), WHY YOU TRY TO HACK OUR WEBSITE? (BE)
WE COULD NOT OPEN THE ATTACHMENT!!! (E)
WE WANT TO KISS YOU, (name)! (B)
Your account ((name)) will be closed (BCDE)
Your computer is infected by W32.Mydoom.H (F)
Your computer is probably infected (F)
Your computer is probably infected by W32.Mydoom.H (F)
Your IP has been logged (CD)
Your message was infected by Mydoom (F)

Message:

Dear user of (recipient name), (D)
Dear users of %s,Norton Antivirus has detected about %d e-mail(s)
infected by W32.Mydoom.Houtgoing from your mail
account(%s).W32.Mydoom.H is a category 4 virus and Norton Antivirus
2004is updated automatically for removal instructions of cat 4 and5
viruses, and then send them for infected computers to preventmore
infections. (F)
Dear users of %s,Our antivirus software has detected a large amount
of viruses outgoingfrom your email account (%s), you may use
ourremoval instruction to clean up your computer software. (F)
Details Attached. (D)
do you can imagine?a (random letters) in a zip file! (D)
hey, i'm tired of deleting emails infected by Mydoom.H from you,i
attached the symantec removal instructions help file for
Mydoom.Hplease cleanup your computer, or do not connect to
internet.cleanup your computer, i have recieved more than 20 message
infected by Mydoom.H from you,i attached the symantec removal
instructions help file for W32.Mydoom.H (F)
hi,i have recieved an email from you infected by W32.Mydoom.H, the
attached file is a help file (.chm) containing removal instructions
of Mydoom.H, i have downloaded it from www.symantec.com.to check to
see if your computer has been infected by Mydoom.H refer to "Check
for presence of W32.Mydoom.H" in the help file.best wishes, (F)
Hi lucky,The attachment is a virus do not open it.I write it to say :
we don't want islamic republic in IRAN!I'm realy sorry, I'm damaging
some computers that I don't want to damage!!!!
We warn you about some attacks on your e-mail account. Your computer
may contain viruses, in order to keep your computer and e-mail
account safe,please, follow the instructions. (D)
Hi Melinda,see my gift for your birthday ;-)call me and say what you
think about it?Love,Bill (E)
Hi,The attachment is a virus.I write it to say: we don't want Islamic
Republic in IRAN!I'm realy realy sorry, I'm damaging the computers
that I don't want to damage!!!!I choose to help a nation to be free
with cost of some computer infections!!!Do you choose this if you
must choose one?all of the other ways closed, no one listen to
us!!!!please support me, open the virus and let it spread, it does
not have any damage,just your internet connection may become some
slow!for more info search "W32.Cone.E". (F)
i can't find anything usefull in your attachment.  (D)
I have your password :)  (D)
i zip it for you.  (D)
i zip your password (and some other info) :))I have it too!you can
change it, but...! (D)
See the attached file for details  (D)
take it easy  (D)
The Management,The (recipient's domain) team http: //www.(recipient's
domain) (D)
The message contains Unicode characters and has been sent as an
attachment (in binary). (E)
The message contains Unicode (Chinese) characters and has been sent
as an attachment (in binary).  (D)
The zip archive attached.
extract it and then read the text file!  (D)
WARNING:This message contains (attached) users personal data and you
may not use it for personal use, remember that you accept the
agreement, and you are responsible for any kind of misuse of the
users personal data. (E)
Warning!!!This message contains (attached) users personal info and
you may not use it for personal use,remember that you accept the
agreement,and you are responsible for any kind of misuse of the users
personal info. (D)
we can't find anything usefull in your attachment See the attached
file for details
What you think? you are just a piece of shit! (E)
your computer is infected by mydoom.H,because i recieved more than 20
messages containing mydoom.H from youi attached help file of removal
instructions of this virus,please cleanup your computer, before
connecting to internet! (F)
your credit card information attached :))  (D)

Attachment:

(eight random letters or digits).exe. (F)
alongtimeago.exe (ABE)
alongtimeago.scr (ABE)
CA112732.exe (ABE)
CoolText.exe (C)
doc.exe (ABE)
doc.scr (ABE)
document.exe (C)
document.scr (ABCE)
EULA-USA.exe (C)
hello.exe (C)
hello.scr (C)
information.exe (C)
information.scr (C)
nothing.exe (ABC)
nothing.scr (CE)
nothing.scr (ABE)
password.exe (C)
password.scr (C)
pchealth.exe (F)
pic.exe (AB)
pic.scr (AB)
pics.exe (E)
pics.scr (E)
(random).zip (CE)
readmeUS.exe (C)
secret!!.exe (C)
text.txt.exe (C)
text22F1.exe (ABE)
unknown.exe (C)
unknown.scr (C)
unknown1.exe (C)
untitled.exe (ABCE)

Comments: A mass-mailing worm that sends itself to email addresses it gathers from files on the infected computer.

Symptoms:


 Creates a file c:cyclone.txt. The file contains the following text:
W32.Cyclone ^^^^^^^^^^ we need freedom in iran, we don't want islamic
republic of iran, we don't want to die, why nobody pay attention to
us! where is human rights? where is justice? these are bullshit, yes?
the world doesn't change, even a little bit, from thousand years ago,
STILL WE DON'T HAVE HUMANITY!!!!! 
 Creates a thread to continuously sets the following value: "Windows
Services Host"="%Windir%svchost.exe" in the registry keys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun so that
the worm runs when you start Windows 
 Creates or overwrites the file, %System%driversetchosts, with the
text: 127.0.0.1 www.symantec.com 127.0.0.1
securityresponse.symantec.com 127.0.0.1 symantec.com 127.0.0.1
www.sophos.com 127.0.0.1 sophos.com 127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com 127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com 127.0.0.1 viruslist.com 127.0.0.1
viruslist.com 127.0.0.1 f-secure.com 127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com 127.0.0.1 www.avp.com 127.0.0.1
www.kaspersky.com 127.0.0.1 avp.com 127.0.0.1
www.networkassociates.com| 127.0.0.1 networkassociates.com 127.0.0.1
www.ca.com 127.0.0.1 ca.com 127.0.0.1 mast.mcafee.com 127.0.0.1
my-etrust.com 127.0.0.1 www.my-etrust.com 127.0.0.1
download.mcafee.com 127.0.0.1 dispatch.mcafee.com 127.0.0.1
secure.nai.com 127.0.0.1 nai.com 127.0.0.1 www.nai.com 127.0.0.1
microsoft.com 127.0.0.1 www.microsoft.com 127.0.0.1
support.microsoft.com 127.0.0.1 update.symantec.com 127.0.0.1
updates.symantec.com 127.0.0.1 us.mcafee.com 127.0.0.1
liveupdate.symantec.com 127.0.0.1 customer.symantec.com 127.0.0.1
rads.mcafee.com 127.0.0.1 trendmicro.com 127.0.0.1 www.trendmicro.com
127.0.0.1 localhost

Recommended Cleanup Software: We found that Easy SpyRemover is the most effective tool for removing this file.

Manual Removal Instructions: Disable System Restore (Windows Me/XP).
Update the virus definitions.
Run a full system scan and delete all the files detected as W32.Cone@mm.
Delete the value that was added to the registry.