Home / malware Worm:Win32/Hikjav.A
First posted on 21 February 2009.
Source: SecurityHomeAliases :
Worm:Win32/Hikjav.A is also known as Also Known As:Mal/SillyFDC-A (Sophos), Worm.Win32.AutoRun.vye (Kaspersky), :W32/Autorun.AQP (Panda), W32.SillyFDC (Symantec).
Explanation :
Worm:Win32/Hikjav.A is a worm that spreads to all logical drives. It attempts to steal user names and passwords for web mail services by monitoring what a user enters via a web browser. It then sends all stolen information to a remote server.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following file:
%USERPROFILE%smss.exeThe presence of the following registry modification:
Added value: "SysUtils"
With data: "%USERPROFILE%smss.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Worm:Win32/Hikjav.A is a worm that spreads to all logical drives. It attempts to steal user names and passwords for web mail services by monitoring what a user enters via a web browser. It then sends all stolen information to a remote server.
Installation
When run, Worm:Win32/Hikjav.A copies itself as the hidden file "%USERPROFILE%smss.exe". It then modifies the system registry so that it runs every time Windows starts: Adds value: "SysUtils"
With data: "%USERPROFILE%smss.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRunSpreads Via...Logical DrivesWorm:Win32/Hikjav.A enumerates drives C: to Z:, checking for Removable, Fixed, and RAMDisk drive types. If a drive is of any of these drive types, the worm copies itself in the drive as the file "<Drive>RECYCLERautoplay.exe". It also creates a file named "autorun.inf" in the root of the drive, which automatically executes the worm copy if the drive is accessed and Autorun is enabled. The file "autorun.inf" is detected as Worm:Win32/Hikjav.A!inf.
Payload
Steals Sensitive InformationWorm:Win32/Hikjav.A attempts to steal user names and passwords for web mail services by monitoring when a user enters details via a web browser. It then sends the information to the remote server "razmgah.com".Additional InformationTo make its removal more difficult, this worm cycles through its installation, propagation, and payload routines after a certain time interval passes.
Analysis by Raymond RobertsLast update 21 February 2009