Home / malware Win32.Huhc.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Huhc.A is also known as Win32.Huhk.A.
Explanation :
It verifies if his process name is: “explorer.exe”, if not it moves of the file:
"%SYSTEM%dllcacheexplorer.exe" into "%TEMP%lorer.exe"
It infects the file copied and after that it copies the file into "%WINDOWS%explorer.exe".
After that it infects all *.exe and *.scr files only from removable disks and connected network drives, without changing the size and creation time of the original files, but writing his malicious code in empty zones of the file.
When infecting a file the virus is making 3 threads. First one is used to create the infection process for the host file.
The second one is the one that infects the removable disk files. The virus is searching for the removable disk starting with “Z:” and descending until “D:”
The third thread is the one that infects the network files. The infection is made only in directories named:
“Windows”“system32”“winnt”“dllcache”and with the following names:
“readbook.exe”“qq.exe”“icesword.exe”“aspack.exe”“iris.exe”“iexplore.exe”“navapw32.exe”“navapsvc.exe”“nmain.exe”“navw32.exe”“kvfw.exe”“kavsvcui.exe”“kavpfw.exe”“kav32.exe”“kvxp.kvxp.kxp”“kvsrvxp.exe““kvmonxp.kxp““kvwsc.exe““kavsvc.exe““kwatchui.exe““ravmond.exe““ravmon.exe““ravtimer.exe““rising.exe““rav.exe““ravmon.exe““ravtimer.exe““iparmor.exe““trojanhunter.exe““thguard.exe““pfw.exe““eghost.exe““mailmon.exe““firefox.exe“Last update 21 November 2011