Home / malwarePDF  

Worm:Win32/Hary.A


First posted on 18 April 2012.
Source: Microsoft

Aliases :

Worm:Win32/Hary.A is also known as Virus.Win32.AutoRun.dv (Kaspersky), W32/Autorun.worm.g (McAfee), W32/Hairy-A (Sophos), W32.Hairy.A (Symantec), WORM_HAIRY.A (Trend Micro).

Explanation :

Worm:Win32/Hary.A Worm:Win32/Hary.A is a worm that poses as a copy of J K Rowling's book "Harry Potter and the Deathly Hallows". The worm spreads between USB drives and personal computers, changing Internet Explorer settings and disabling certain system tools.
Top

Worm:Win32/Hary.A Worm:Win32/Hary.A is a worm that poses as a copy of J K Rowling's book "Harry Potter and the Deathly Hallows". The worm spreads between USB drives and personal computers, changing Internet Explorer settings and disabling certain system tools. Worm:Win32/Hary.A consists of an .EXE file and an AutoIt script, a script that can automatically execute when the autorun feature for CD-ROM and removable drives is enabled in Windows computers. When the AutoIt script runs, it executes a file named "HarryPotter-TheDeathlyHallows.exe". The .EXE performs the following actions:

    • Drops a Microsoft Word document file named "HarryPotter-TheDeathlyHallows.doc" in the same folder, with the contents "Harry Potter is dead.", then moves this file to the root of the C drive.
    • Starts winword.exe to show this Microsoft Word document "C:\HarryPotter-TheDeathlyHallows.doc"
    • Minimizes all system windows.
    • Creates the directory C:\Windows\Cache\
    • Creates a copy of HarryPotter-TheDeathlyHallows.exe to C:\Windows\Cache\
    • Deletes all scheduled 'AT' jobs
    • Schedules 'AT' jobs to run "C:\Windows\Cache\HarryPotter-TheDeathlyHallows.exe" hidden, every day of the week, at the following times:
      8:30 9:00 10:30 11:00 12:30 13:00 14:30 16:30 17:00 18:30 19:00
    • Creates the file "C:\harry potter.txt" with the following contents:
      Harry Potter is a dumb kid,so is Daniel
.Ron Weasley is ugly but who cares.Hermione is pretty and exploited but who cares?.Dumbledore is old and haggard but who cares?.JK Rowling was an ex-witch but who cares, betcha didn't know..All we care is that.......Harry Potter is gonna die!.Okay, you can now get yourself a copy of the dumb Harry Potter book.
      Creates the directory C:\Windows\Tempt\ Creates a Batch script named "C:\Windows\Tempt\talk.bat" that, when run, will display the following content:

      read and repent

the end is near
repent from your evil ways O Ye folkslest you burn in hell...JK Rowling especially press any key to continue€¦
    Sets the file attributes of "C:\Windows\Tempt\talk.bat" to read-only, system and hidden. Creates an entry into the registry to run "C:\Windows\Tempt\talk.bat" at Windows startup:
    Adds value: talk
    With data: C:\Windows\Tempt\talk.bat
    To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Creates an AutoIt script named "C:\autorun.inf" to launch "HarryPotter-TheDeathlyHallows.exe" whenever a drive is mounted Copies "C:\autorun.inf" it to the root of the D, E, F, G, H, I and J drives. Copies "HarryPotter-TheDeathlyHallows.exe" to the root of the C, D, E, F, G, H, I and J drives. Changes registered owner details stored in the registry:
    Modifies value: RegisteredOwner
    With data: Harry Potter
    Modifies value: ProductID
    With data: HARRY-POT-TERHATE-SYOU1
    To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Changes Internet Explorer properties stored in the registry:
    Modifies value: Window Title
    With data: JK Rowling Owns You
    To subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    Modifies value: Start Page
    With data: {long hyperlink listing pointing to Amazon.com for a book titled "Harry Putter and the Chamber of Cheesecakes", a Harry Potter parody} Lowers security settings, changes Windows functionality and changes system restore options by altering stored settings in the registry with the following:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoFolderOptions = 1
    NoViewContextMenu = 1
    NoShellSearchButton = 1
    NoFind = 1
    NoRun = 1
    HideClock = 1
    NoTrayContextMenu = 1
    NoTrayItemsDisplay = 1
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr = 1
    DisableRegistryTools = 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue = 0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
    NoViewContextMenu = 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    DisableTaskMgr = 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
    DisableSR = 1
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr
    Start = 4
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    EnableFirewall = 0
    DoNotAllowExceptions = 0 Attempts to add the following user accounts to the system:
    Harry-Potter
    Ron-Weasley
    Hermione-Granger Forces a system reboot.
Text files also dropped by Worm:Win32/Hary.A are identified separately as Worm:Win32/Hary.A!autorun, Worm:Win32/Hary.A!txt, and Worm:Win32/Hary.A!bat.

Last update 18 April 2012

 

TOP

Malware :

Family: