Home / malwarePDF  

Worm:Win32/Hilgild!gen.A


First posted on 15 January 2013.
Source: Microsoft

Aliases :

Worm:Win32/Hilgild!gen.A is also known as Worm/Win32.AutoRun (AhnLab), Worm.Win32.AutoRun.edrh (Kaspersky), AutoRun.BORO (Norman), Worm/Autorun.bmjt (Avira), Win32.HLLW.Autoruner.58952 (Dr.Web), Win32/AutoRun.Agent.UI worm (ESET), Worm.Win32.Hilgild (Ikarus), W32/Autorun.worm.zzk (McAfee), Worm.Win32.Hilgild.a (Rising AV), W32/Clarbat-Gen (Sophos), WORM_OTORUN.SMMO (Trend Micro).

Explanation :



Installation

Worm:Win32/Hilgild!gen.A drops a copy of itself into your computer with the following file:

%AppData%\wmimgmt.exe

It creates the following registry entry so that its copy automatically runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "wmi32"
With data: "%AppData%\wmimgmt.exe"

Spreads via...

Removable drives

Worm:Win32/Hilgild!gen.A spreads by copying itself to all removable drives in your computer. It drops a copy of itself with the same file name in the "Recycler" folder, for example:

  • F:\recycler\wmimgmt.com
  • G:\recycler\wmimgmt.com


It also writes an Autorun configuration file named "autorun.inf", pointing to the worm copy. If the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.



Payload

Drops other malware

Worm:Win32/Hilgild!gen.A drops a file detected as TrojanDownloader:Win32/Agent.YR. This file may have the name "%Temp%\comm32.exe" or "%Temp%\avp.exe" (the file "avp.exe" is copied as "comm32.exe", then is deleted).

It also drops the file "%Temp%\comm32.dll, which is also detected as TrojanDownloader:Win32/Agent.YR.

Steals information

Worm:Win32/Hilgild!gen.A steals sensitive information from all drives in your computer. To do this, it runs a batch file, "%Temp%\ghi.bat", to collect the information. This file is detected by Worm:BAT/Hilgild.A.

The stolen information is stored in a file named "%Temp%\info.txt".

This worm tries to steal the following information from your computer:

  • Computer name
  • User account names
  • IP address
  • Ethernet adapter configuration info
  • List of currently running Windows processes


Connects to a remote server

Worm:Win32/Hilgild!gen.A connects to the following remote servers via TCP port 8080:

  • incl.too2too.com
  • nor.fushing.org




Analysis by Wei Li

Last update 15 January 2013

 

TOP

Malware :

Family: