Coconut
Coconut
Type Mass mailer worm
Creator Gigabyte
Date Discovered 2003.07.15
Place of Origin Mechelen, Belgium
Source Language C#
Platform MS Windows with .NET
File Type(s) .exe, .vbs
Infection Length 200,704 bytes

Coconut is a worm with a viral component that has computer users play a shy game in order to not have their files infected. The player must throw a coconut at the head of Belgian hacker Frans Devaere and Sophos security expert Graham Cluley. The more the coconut hits them, the less files it infects. Coconut is one of a few viruses that Belgian hacker Gigabyte has created in the feud between her and Graham Cluley. Like Sharp it requires the .NET platform. It does not exist in the wild.

Behavior

The Coconut worm and game in action

The worm arrives in an email that should look something like this:

  • Subject line: The Coconut Game
  • Message Text: This game made me feel like I was on a vacation :)
  • Attached File: coconut.exe

Coconut can only execute on a computer with the .NET framework installed, as it requires the mscoree.dll file contained in .NET. When Coconut is executed, it will drop temporary files called coconut.exe and mail.vbs in the drive C root directory (not in any folder). The VBS file mails the worm to everyone in the Windows address book.

Coconut then displays a shy game with photos of a coconut, Frans Devaere on the bottom left, Graham Cluley on the bottom right and a button at the top center with the text "Throw!". The player has 3 chances to hit Devaere and Cluley. Hitting Cluley is worth 2 points, while Devaere is worth 1. The worm will infect as many files as the number of points missed out of the 6 possible. After the game has finished, a text box appears telling the user how many points they have received and how many files were infected.

When infecting a new file, it copies the file to be infected to the directory the virus/worm was executed from and names it hostcopy.exe. It then overwrites that file in its original location and then appends the copied hostcopy.exe to itself. Coconut has the byte value of 103 at offset 0x12, and will avoid infecting files with this value. This is likely to prevent double infections on one file.

When an infected file is executed, Coconut has the user play the game again. It extracts the original program that to the Windows temporary folder as temp.exe and runs it. Coconut will try to delete temp.exe when that program is finished running, but the virus will continue to run in memory.

Name

Coconut, obviously, gets its name from the shy game that the worm has victims play. Some antivirus programs refer to it as Conut.

Antivrus Aliases

  • Avast!: Win32:Kokon
  • Avira: W32/Coconuts
  • ClamAV: Worm.Repah.a
  • Doctor Web: Win32.NET.Coconut
  • Eset: Win32/Conut.A
  • F-Prot: W32/Conut.A
  • F-Secure: Email-Worm.Win32.Conut [AVP]
  • Grisoft: I-Worm/Cocot
  • Kaspersky Lab: Email-Worm.Win32.Conut also known as: I-Worm.Conut
  • McAfee: W32/Conut@MM
  • Panda: W32/Coconut
  • RAV: Win32/Cotan.A@mm
  • Bitdefender: Win32.HLLP.Coconuts.A
  • Sophos: W32/Coconut-A
  • Symantec: W32.HLLP.Conut@mm
  • Trend Micro: PE_Conut.A-O
  • Vexira: I-Worm.Conut

Background

Coconut is one of a few viruses and worms Gigabyte has created in a feud between her and Graham Cluley. Parrot and Quizy include some unflattering statements about Cluley. Frans Devaere (ReDaTtAcK) is a Belgian hacker, who in the summer of 1999 cracked the networks of the Generale Bank, a part of the Fortis Group. He accessed log files that contained account information on the bank's customers. At a press conference he claimed that he was trying to awaken people to the dangers of insecure systems. While he was described by some in the Belgian technology media as being "mediageile" (a Dutch adjective with similar connotations to the English term "media whore"),

Sources

Trend Micro Antivirus. PE_CONUT.A.

Sophos Press Office, "New Coconut worm knocks block off anti-virus expert, "Shy away" says Sophos". 2003.07.16

Yana Liu. Symantec.com W32.HLLP.Conut@mm

WebWereld, ReDaTtAcK ten strijde tegen veiligheidsgaten op internet. 1999.08.23 (Dutch)

Jamie Biesemans. ZDNet.be, Virus heeft het gemunt op ReDaTtacK. 2003.07.18 (Dutch)

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License