Home / malware Worm:Win32/Hary.A
First posted on 18 April 2012.
Source: MicrosoftAliases :
Worm:Win32/Hary.A is also known as Virus.Win32.AutoRun.dv (Kaspersky), W32/Autorun.worm.g (McAfee), W32/Hairy-A (Sophos), W32.Hairy.A (Symantec), WORM_HAIRY.A (Trend Micro).
Explanation :
Worm:Win32/Hary.A Worm:Win32/Hary.A is a worm that poses as a copy of J K Rowling's book "Harry Potter and the Deathly Hallows". The worm spreads between USB drives and personal computers, changing Internet Explorer settings and disabling certain system tools.
Top
Worm:Win32/Hary.A Worm:Win32/Hary.A is a worm that poses as a copy of J K Rowling's book "Harry Potter and the Deathly Hallows". The worm spreads between USB drives and personal computers, changing Internet Explorer settings and disabling certain system tools. Worm:Win32/Hary.A consists of an .EXE file and an AutoIt script, a script that can automatically execute when the autorun feature for CD-ROM and removable drives is enabled in Windows computers. When the AutoIt script runs, it executes a file named "HarryPotter-TheDeathlyHallows.exe". The .EXE performs the following actions:.Ron Weasley is ugly but who cares.Hermione is pretty and exploited but who cares?.Dumbledore is old and haggard but who cares?.JK Rowling was an ex-witch but who cares, betcha didn't know..All we care is that.......Harry Potter is gonna die!.Okay, you can now get yourself a copy of the dumb Harry Potter book.
- Drops a Microsoft Word document file named "HarryPotter-TheDeathlyHallows.doc" in the same folder, with the contents "Harry Potter is dead.", then moves this file to the root of the C drive.
- Starts winword.exe to show this Microsoft Word document "C:\HarryPotter-TheDeathlyHallows.doc"
- Minimizes all system windows.
- Creates the directory C:\Windows\Cache\
- Creates a copy of HarryPotter-TheDeathlyHallows.exe to C:\Windows\Cache\
- Deletes all scheduled 'AT' jobs
- Schedules 'AT' jobs to run "C:\Windows\Cache\HarryPotter-TheDeathlyHallows.exe" hidden, every day of the week, at the following times:
8:30 9:00 10:30 11:00 12:30 13:00 14:30 16:30 17:00 18:30 19:00- Creates the file "C:\harry potter.txt" with the following contents:
Harry Potter is a dumb kid,so is Daniel
Creates the directory C:\Windows\Tempt\ Creates a Batch script named "C:\Windows\Tempt\talk.bat" that, when run, will display the following content:
read and repent
the end is near
repent from your evil ways O Ye folkslest you burn in hell...JK Rowling especially press any key to continue€¦Sets the file attributes of "C:\Windows\Tempt\talk.bat" to read-only, system and hidden. Creates an entry into the registry to run "C:\Windows\Tempt\talk.bat" at Windows startup:
Text files also dropped by Worm:Win32/Hary.A are identified separately as Worm:Win32/Hary.A!autorun, Worm:Win32/Hary.A!txt, and Worm:Win32/Hary.A!bat.
Adds value: talk
With data: C:\Windows\Tempt\talk.bat
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Creates an AutoIt script named "C:\autorun.inf" to launch "HarryPotter-TheDeathlyHallows.exe" whenever a drive is mounted Copies "C:\autorun.inf" it to the root of the D, E, F, G, H, I and J drives. Copies "HarryPotter-TheDeathlyHallows.exe" to the root of the C, D, E, F, G, H, I and J drives. Changes registered owner details stored in the registry:
Modifies value: RegisteredOwner
With data: Harry Potter
Modifies value: ProductID
With data: HARRY-POT-TERHATE-SYOU1
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion Changes Internet Explorer properties stored in the registry:
Modifies value: Window Title
With data: JK Rowling Owns You
To subkey HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Modifies value: Start Page
With data: {long hyperlink listing pointing to Amazon.com for a book titled "Harry Putter and the Chamber of Cheesecakes", a Harry Potter parody} Lowers security settings, changes Windows functionality and changes system restore options by altering stored settings in the registry with the following:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions = 1
NoViewContextMenu = 1
NoShellSearchButton = 1
NoFind = 1
NoRun = 1
HideClock = 1
NoTrayContextMenu = 1
NoTrayItemsDisplay = 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = 1
DisableRegistryTools = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
DisableSR = 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr
Start = 4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall = 0
DoNotAllowExceptions = 0 Attempts to add the following user accounts to the system:
Harry-Potter
Ron-Weasley
Hermione-Granger Forces a system reboot.Last update 18 April 2012