Home / malware

PDF

Win32.Holar.I@mm

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Holar.I@mm is also known as I-Worm.Hawawi.f, (Kaspersky.

Explanation :

The virus was written in Visual Basic and compressed with UPX.

When run, it will copy itself and will drop its embedded components: smtp.ocx (an SMTP ActiveX control used to send email messages; this component is registered using regsvr32) and the executable explore.exe.

The registry entry

[HKLMSoftwareMicrosoftWindowsCurrentVersion
unExplore]

is created to run the worm at every start-up. The executable's read-only, hidden and system file attributes are set.

The worm searches the Microsoft WAB file and user files ending in .TXT, .HTML, .HTM, .EML for e-mail addresses and sends itself.
The worm arrives in mail messages like the following:
Fw:
Re:
Check this out ;)
Enjoy!
This is all i can send
Have Fun :)
You gonna love it
Here is what u wanted
:)
Wait for more :)
looool
Take a look
Never mind !
Attatchments
See the attatched file
gift :)
Surprise!
save it for hard times
Happy Times :)
Useful
Very funny
Try it
you have to see this!
emazing!

The worm stores a counter of the number of times it has been run in the registry key HKCUDeathTime. When the counter reaches 30, the payload will be executed (a message in red on a black background).
"! have noth!na say bam st!ll ZaCker !"

Last update 21 November 2011

 

TOP