As Bkis predicted in the previous blog entry Emails from Santa, virus distributors have taken action in this Christmas season.

On November 28, 2009, Bkis honeypot has collected multiple malicious emails which fake Coca cola's promotion campaign on occasion of Christmas.


The email generates an attractive message: “Play our fantastic new online game for your chance to WIN a trip to the Bahamas and get all Coca Cola drinks for free in the rest of your life. See the attachment for details” to trick users into opening the attached file.

When users run this attached file, their computers will be infected with a backdoor. The hacker then is able to take remote control over the victim's machine as well as steal important data.

Below is the detailed analysis of this Worm:

  • Name: W32.XmasCo.Worm
  • Family: W32.XmasCo.Worm
  • Type: Worm
  • Discovered: November 28, 2009
  • Size: 439Kb
  • Severity: high


  • Reduces system security level.
  • Installs backdoor.


  • Registry is modified.
  • The following window is popped up:


Infection methods:

  • Via websites.
  • Via emails.


  • Do not visit websites which provide software crack, hacking technique and websites with erotic content.
  • Do not open unknown attached files, particularly files with .exe .com .pif and .bat extensions.

Technical details:

  • Writes the following values:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}]

    StubPath = "%SystemDir%\qnx.exe"


    Wind River Systems = "%SystemDir%\vxworks.exe"


    QnX = "%SystemDir%\qnx.exe"


    QnX = "%SystemDir%\qnx.exe"

    to activate virus on Window's start-up.

  • Copies itself as file named "vxworks.exe" to the directory %SystemDir%
  • Dumps the following file "%SystemDir%\qnx.exe"
  • Opens the following gates: 1051, 1070, 1085 and 1086 to receive hacker's commands.
  • Connects to the following servers to load malicious codes to the affected machine: 25 25 25 25 80

  • Automatically sends massive emails to the addresses found on the affected machines with as the sender's address.

Analyst: Nguyen Cong Cuong

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet