Content

W32/Holar.l@MM

Type
Virus
SubType
E-mail
Discovery Date
10/15/2003
Length
Varies
Minimum DAT
4299 (10/22/2003)
Updated DAT
4362 (05/19/2004)
Minimum Engine
5.1.00
Description Added
11/06/2003
Description Modified
11/06/2003 10:59 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is proactively detected as New MSVB P2P worm when using the 4266-4298 DAT files with the 4.2.60 scan engine and scanning compressed executables (a default scan option).

This variant of the worm is very similar to previous variants. It is intended to propagate via email and share itself over P2P networks.

The worm consists of a 3-file sandwich:

DROPPER COMPONENT | PROPAGATION COMPONENT | SMTP LIBRARY

The dropper component is intended to drop and run the other components:

  • Propagation component: 20,992 bytes
  • SMTP library: 25,737 bytes

Strings within the dropper and propagation components suggest the worm is intended to arrive in a message with the following characteristics:

From: ""@yahoo.com (or an address taken from the infected system)
Subject:  < attachment file name without the extension >, or one of the following:

May start with the following:

  • Fw:
  • Re:

Followed by:

  • Check this out ;)
  • Enjoy!
  • This is all i can send
  • Have Fun :)
  • You gonna love it
  • Here is what u wanted
  • Wait for more :)
  • looool
  • Take a look
  • Never mind !
  • Attatchments
  • See the attatched file
  • gift :)
  • Surprise!
  • save it for hard times
  • Happy Times :)
  • Useful
  • Very funny
  • Try it
  • you have to see this!
  • emazing!

Attachment: < file name varies, taken from an existing file name found on the infected sender's system followed by .com >

Messages contain an X-Mailer field of the standard SMTP library that the vius uses:

  • X-Mailer: OstroSoft SMTP Control (4.0.19)

Running the attachment infects the local system. The worm extracts several files to the WINDOWS SYSTEM directory:

  • explore.exe (20,992 bytes)
  • SMTP.ocx (25,737 bytes)
A registry run key is created to load the worm at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Explore" = C:\WINDOWS\SYSTEM\EXPLORE.exe

Several other files are created in the WINDOWS SYSTEM directory:

  • a.bat (9,216 bytes)
  • a.com (9,216 bytes)
  • a.exe (9,216 bytes)
  • a.pif (9,216 bytes)
  • a.scr (9,216 bytes)
  • < a copy of the worm using the file name that was initially run, with a .sys extension >

It also copies itself to the WINDOWS SYSTEM directory using the aforementioned email attachment names. The worm attempts to configure KaZaa to use the WINDOWS SYSTEM directory as the default shared folder.

Symptoms

  • Presence of the aforementioned filenames
  • The default start page of Internet Explorer may be set to:
    • http://www.geocities.com/yori_mrakkadi
  • The virus creates two registry keys:

A marker key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows "a" = %worm filename%

And a counter key:
HKEY_CURRENT_USER\DeathTime = %Run count%

If the run count exceeds 30, the worm attempts to disable the mouse and keyboard. The syntax used for this payload does not apply to all systems, and error messages may be displayed when the payload is initiated.

Method of Infection

This worm spreads via email and the KaZaa P2P file-sharing network. 

Mail Propagation
 The worm sends itself to addresses found on the local system.  The attachment name it uses is derived by finding filenames that exist on the system.

Email addresses are harvested from files using the following extensions:

  • eml
  • htm
  • html
  • txt

Attachement names are derived from files that match the following extension list:

  • jpg
  • doc
  • pps
  • zip
  • ram
  • xls
  • mdb

KaZaa Propagation
 The worm copies itself to the KaZaa shared directory to invite other users to download and tun the worm.  It assumes the file names of any existing file in a shared directories, replacing the extensions with one of the following:

  • exe
  • scr
  • bat
  • com
  • pif

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Hawawi.g (AVP)
  • W32.Galil.C@mm (Symantec)
  • W32/Hawawi.G@mm (F-Secure)
  • W32/Holar-I (Sophos)
  • WORM_HAWAWI.F (Trend)

Characteristics

Characteristics -

This threat is proactively detected as New MSVB P2P worm when using the 4266-4298 DAT files with the 4.2.60 scan engine and scanning compressed executables (a default scan option).

This variant of the worm is very similar to previous variants. It is intended to propagate via email and share itself over P2P networks.

The worm consists of a 3-file sandwich:

DROPPER COMPONENT | PROPAGATION COMPONENT | SMTP LIBRARY

The dropper component is intended to drop and run the other components:

  • Propagation component: 20,992 bytes
  • SMTP library: 25,737 bytes

Strings within the dropper and propagation components suggest the worm is intended to arrive in a message with the following characteristics:

From: ""@yahoo.com (or an address taken from the infected system)
Subject:  < attachment file name without the extension >, or one of the following:

May start with the following:

  • Fw:
  • Re:

Followed by:

  • Check this out ;)
  • Enjoy!
  • This is all i can send
  • Have Fun :)
  • You gonna love it
  • Here is what u wanted
  • Wait for more :)
  • looool
  • Take a look
  • Never mind !
  • Attatchments
  • See the attatched file
  • gift :)
  • Surprise!
  • save it for hard times
  • Happy Times :)
  • Useful
  • Very funny
  • Try it
  • you have to see this!
  • emazing!

Attachment: < file name varies, taken from an existing file name found on the infected sender's system followed by .com >

Messages contain an X-Mailer field of the standard SMTP library that the vius uses:

  • X-Mailer: OstroSoft SMTP Control (4.0.19)

Running the attachment infects the local system. The worm extracts several files to the WINDOWS SYSTEM directory:

  • explore.exe (20,992 bytes)
  • SMTP.ocx (25,737 bytes)
A registry run key is created to load the worm at system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "Explore" = C:\WINDOWS\SYSTEM\EXPLORE.exe

Several other files are created in the WINDOWS SYSTEM directory:

  • a.bat (9,216 bytes)
  • a.com (9,216 bytes)
  • a.exe (9,216 bytes)
  • a.pif (9,216 bytes)
  • a.scr (9,216 bytes)
  • < a copy of the worm using the file name that was initially run, with a .sys extension >

It also copies itself to the WINDOWS SYSTEM directory using the aforementioned email attachment names. The worm attempts to configure KaZaa to use the WINDOWS SYSTEM directory as the default shared folder.

Symptoms

Symptoms -

  • Presence of the aforementioned filenames
  • The default start page of Internet Explorer may be set to:
    • http://www.geocities.com/yori_mrakkadi
  • The virus creates two registry keys:

A marker key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows "a" = %worm filename%

And a counter key:
HKEY_CURRENT_USER\DeathTime = %Run count%

If the run count exceeds 30, the worm attempts to disable the mouse and keyboard. The syntax used for this payload does not apply to all systems, and error messages may be displayed when the payload is initiated.

Method of Infection

Method of Infection -

This worm spreads via email and the KaZaa P2P file-sharing network. 

Mail Propagation
 The worm sends itself to addresses found on the local system.  The attachment name it uses is derived by finding filenames that exist on the system.

Email addresses are harvested from files using the following extensions:

  • eml
  • htm
  • html
  • txt

Attachement names are derived from files that match the following extension list:

  • jpg
  • doc
  • pps
  • zip
  • ram
  • xls
  • mdb

KaZaa Propagation
 The worm copies itself to the KaZaa shared directory to invite other users to download and tun the worm.  It assumes the file names of any existing file in a shared directories, replacing the extensions with one of the following:

  • exe
  • scr
  • bat
  • com
  • pif

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A