Home / malware Worm:Win32/Hilgild!gen.A
First posted on 15 January 2013.
Source: MicrosoftAliases :
Worm:Win32/Hilgild!gen.A is also known as Worm/Win32.AutoRun (AhnLab), Worm.Win32.AutoRun.edrh (Kaspersky), AutoRun.BORO (Norman), Worm/Autorun.bmjt (Avira), Win32.HLLW.Autoruner.58952 (Dr.Web), Win32/AutoRun.Agent.UI worm (ESET), Worm.Win32.Hilgild (Ikarus), W32/Autorun.worm.zzk (McAfee), Worm.Win32.Hilgild.a (Rising AV), W32/Clarbat-Gen (Sophos), WORM_OTORUN.SMMO (Trend Micro).
Explanation :
Installation
Worm:Win32/Hilgild!gen.A drops a copy of itself into your computer with the following file:
%AppData%\wmimgmt.exe
It creates the following registry entry so that its copy automatically runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "wmi32"
With data: "%AppData%\wmimgmt.exe"
Spreads via...
Removable drives
Worm:Win32/Hilgild!gen.A spreads by copying itself to all removable drives in your computer. It drops a copy of itself with the same file name in the "Recycler" folder, for example:
- F:\recycler\wmimgmt.com
- G:\recycler\wmimgmt.com
It also writes an Autorun configuration file named "autorun.inf", pointing to the worm copy. If the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Drops other malware
Worm:Win32/Hilgild!gen.A drops a file detected as TrojanDownloader:Win32/Agent.YR. This file may have the name "%Temp%\comm32.exe" or "%Temp%\avp.exe" (the file "avp.exe" is copied as "comm32.exe", then is deleted).
It also drops the file "%Temp%\comm32.dll, which is also detected as TrojanDownloader:Win32/Agent.YR.
Steals information
Worm:Win32/Hilgild!gen.A steals sensitive information from all drives in your computer. To do this, it runs a batch file, "%Temp%\ghi.bat", to collect the information. This file is detected by Worm:BAT/Hilgild.A.
The stolen information is stored in a file named "%Temp%\info.txt".
This worm tries to steal the following information from your computer:
- Computer name
- User account names
- IP address
- Ethernet adapter configuration info
- List of currently running Windows processes
Connects to a remote server
Worm:Win32/Hilgild!gen.A connects to the following remote servers via TCP port 8080:
- incl.too2too.com
- nor.fushing.org
Analysis by Wei Li
Last update 15 January 2013