|
|
W32.Hunch Worm Information
| Name: |
W32.Hunch |
| Category: |
Worm |
| Advice: |
Remove |
| Risk: |
Severe Risk
Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. |
| Description:
|
W32.Hunch is a mass-mailing worm.
When it runs, it does the following:
It sends itself to all contacts in the Microsoft Outlook Address Book. The message has the following characteristics:
Subject: blank
Message: Mensaje importante para Name of the sender en el archivo adjunto...
Attachment: This varies depending on the originating file name
(Windows Me only) It searches the C:_RESTORE folder and deletes all .ocx, .cpl, .drv, .log, .sys, and .dll files from that folder.
It copies itself to the hard disk as:
%system%Msword.Exe
and one of the following three files:
%system%Salsa.Exe
%system%Dejas.exe
%system%Locas.exe
It adds one of the following three values:
SALSA %system%Salsa.Exe
DEJAS %system%Dejas.Exe
LOCAS %system%Locas.Exe
to the following registry keys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
CurrentVersionRunServices
so that the worm runs when you start Windows.
It then deletes five files that have one of the following randomly chosen file extensions:
.xls
.doc
.wav
.dwg
.mp3
.bak
.cdx
.bmp
.htm
.hlp
.chm
.jpg
.gif
.scr
.ttf
.mid
.mdb
.dbf
.ico
It keeps a log of the deleted files in C:WindowsSystemListWin.txt.
(Windows 95/98/Me only) It modifies the C:Autoexec.bat file by adding one of the following commands:
DEL > FORMAT C: /u /v:SALSA /autotest
DEL > FORMAT C: /u /v:DEJAS /autotest
DEL > FORMAT C: /u /v:LOCAS /autotest
so that the next time that you start the computer, the hard drive is reformatted.
|
| Signatures:
|
process: Salsa.Exe: MD5 Hash: ...
process: Locas.Exe: MD5 Hash: ...
process: msword.exe: MD5 Hash: 5d247e13333e9518015...
process: msword.exe: MD5 Hash: ...
process: Dejas.Exe: MD5 Hash: .. |
| Type: |
Worm - A worm is program that propagates by attacking other computers and copying itself to them. Worms may replace files, but do not insert themselves into files (as viruses do). |
Top Worm Visited Pages:
Wukill.mstray - Alias: Win32/HLLW.Wukill - 288 visits
Rbot - Alias: Backdoor.Rbot.Gen - 275 visits
SDBot - Alias: Wootbot.gen, Wootbot, Donk, spybot, Agobot - 228 visits
Trojan.Downloader.winstall - 181 visits
Worm.Brit.e - Alias: VBS/Chick.e@M virus - 89 visits
Worm.P2P.SpyBot.gen - 56 visits
Gaobot - 43 visits
Win32/Darby.O - 42 visits
Worm.Trilissa.e - 42 visits
JS.Lame - Alias: HTML.Lame - 40 visits
Random Worm Pages:
Worm.Newbiero.04
SDBot.NvCplScan - Alias: SDBOT.JP
SpyBot.lexplore - Alias: Win32/Spybot.AI.worm
IRC.Worm.Duke - Alias: HLLW.Duke
Happy New Year Worm
Naked Wife - Alias: I-Worm.Naked, W32/Naked@MM
Virus.Shermnar.worm - Alias: I-Worm.P2P.Shermnar
Tetris worm - Alias: IRC-Worm.Tetris.b
VBS/Nuel@MM - Alias: HTML.Welcome.a
IRC.Worm.Pif.Beaze
|
|
