McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Holar.f (AVP)

• W32.Galil.F@mm (NAV)

• W32/Hawawi.F (F-Prot)

• W32/Holar-J (Sophos)

• W32/Holar.K.worm (Panda)

• Win32.Holar.J (CA)

• WORM_HOLAR.F (Trend)

Characteristics

This worm is detected by the 4300 DATs and higher as W32/Holar.gen@MM. The 4323 DATs will add specific detection for this threat.

The worm consists of a 3-file sandwich:

DROPPER COMPONENT | PROPAGATION COMPONENT | SMTP LIBRARY

Propagation component: 29,183 bytes
SMTP library: 25,736 bytes
Dropper component: 67,934 bytes

The dropper component is intended to drop and run the other components. It uses the following icon and file-properties to make it appear to be a ZIP file:

File version: 13.0.0.0
Description: WinZip Executable
Copyright: Copyright (c) WinZip Computing, Inc. 1991-2000 - All Rights Reserved
Comments: StringFileInfo: U.S. English
Company Name: WinZip Computing, Inc.
Internal Name: WINZIP32.EXE
Language: English (United States)
Legal Trademarks: WinZip is a registered trademark of WinZip Computing, Inc
Original Filename: WINZIP32.EXE
Product Name: WinZip
Product Version: 8.0  (3105)
WZ32.DLL: 13,999
WZINET32.DLL: 3,999
WZINFO.DLL: 1,999

Upon execution, the following fake error message is displayed:

Strings within the propagation components suggest the worm is intended to arrive in a message with the subject line and message body chosen from the following list:

• file name from the local system
• blank
• Fw: 
• Re: 
• hey
  Check this out ;)
• Hey I thought you trusted me but ... 
  i haven't ever thought i should send u my briefcase to gain ur Trust .
  Have it all :) bye
• Hey Wussap?
  Here is the Emmy ;) Dont tell Sam abt it
  Cya
• Another one?
• Heyyyy
  I lost the other email , anyway i sent u all u need
• i have just got it , plz tell me if u need more.
  bye
• Heyyyyyyyy Lola Wussaaap??
  I forgot to tell u , the other file is with Sam:) bye
• YO DUMP , IM SICK OF UR EMAILS , IF U LOSE IT AGAIN I WONT GIVE IT TO U, SAVE IT
  BYEEE
• Hey wussap?
  i lost Sara's Email plzz send this file to her :)
  and tell her i can't be online tonight
  Bye
• heyyy
  I can't be online tonight :(
  anyway , i sent u something u r gonna love ;)
  cya tomorrow
• Hi
  i just wanted to say sorry for last night
  and .. i wish u accept this as an apology
  bye dear
• elegant ppl should satisfy thier taste with elegant things ;)
  Wait for more :)
• I've got your email , but you forgot to upload the attachments.
  Don't be selfish , i sent you all the files i have, send me anything :(
• heyyyy i tried many times to send u this email but ur account was out of storage as i think
  any way , make sure that i didn't and i won't forget u :)
  Cya Forgotten :P
• i thing the subject is enough to describe the attached file !
  check it out and replay your opinion
• Hiiiiiii
  i've got this surprise from a friend :)
  it really deserves a few minutes of your time.
• Never mind !
• Attatchments
• See the attatched file
• you seem to be mad @ me coz i didn't send u anything for along time,
  i didn't forget u , but i was kinda busy , i've got all of ur emails
  thanx :) and i hope u accept this one as an apology.
• gift :)
• Surprise!
• i'm fine , thanx for asking :) 
  and thanx for the nice attachements.
  but unfortunately, i don't remember you
  i will be waiting for u emaill to remind me of your self.
  Hummm , i hope u accept this show as an apology.
• save it for hard times
• Happy Times :)
• Useful
• Very funny
• hey wuts up?
• i found this amazing file in my Recycled , i know u love this kind of things ;)
  cyaaa
• you have to see this!
• amazing!

Symptoms

The presence of the following registry entries:

• HKEY_CURRENT_USER "Cya" =
  This is used as a marker of the number of times the worm has been run.  If the run count exceeds 30, the worm attempts to disable keyboard input. 
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "NAV Agent"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "SystemChecker" = %SysDir%\SYSCHK.exe
  This is used to run the worm again at Windows Startup.

The presence of the following files:

• %SysDir%\MizZabbat32.exe (67,934 bytes)
• %WinDir%\Sys32s\ZaCker.exe (67,934 bytes)
  These are the Dropper component
  
• %SysDir%\SysChk.exe (29,183 bytes)
  This is the Propagation component
  
• %SysDir%\Smtp.Ocx (25,736 bytes)
  This is the SMTP library.
  
• %WinDir%\Sys32s\Runhelp.cab (6,323 bytes)
• %SysDir%\Runhelp.cab (6,323 bytes)
  These CAB files contain runhelp.inf (107 bytes), which will run ZaCker.exe.  This worm also modifies the folder.htt in the Windows Web folder to run the Runhelp.cab file.

If the worm is unable to perform its mailing payload, it will delete the following file-types:

• JPG
• DOC
• PPS
• RAM
• RM
• XLS
• MDB
• RAR
• MPEG
• MPG
• AVI
• MPE
• ASF

Method of Infection

This worm spreads via email, using its SMTP library component.  It may also try to spread via network shares, but this was not observed in testing.

The attachment filename varies, depending on what is present on the victim machine. The first part of the file-name is taken from an existing file-name found on the infected sender's system.  The file-extension that is used is taken form the following list:

• UUE
• MIM
• HQX
• UU
• XXE
• BHX
• EXE

The files to be sent will be copied to the Windows Temp directory, with all the file extensions listed above.  The EXE file is the dropper component which can be run directly. The other files (95,138 bytes) must be opened as an archive, for example with WinZip, which contains the executable dropper component.

Addresses to be used in the TO: and FROM: fields are taken from registry entries relating to MSN and Yahoo Messengers, and from the Microsoft Outlook address book.

Messages contain an X-Mailer field of the standard SMTP library that the virus uses:

• OstroSoft SMTP Control (4.0.19)

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Holar.f (AVP)

• W32.Galil.F@mm (NAV)

• W32/Hawawi.F (F-Prot)

• W32/Holar-J (Sophos)

• W32/Holar.K.worm (Panda)

• Win32.Holar.J (CA)

• WORM_HOLAR.F (Trend)

Characteristics

Characteristics -

This worm is detected by the 4300 DATs and higher as W32/Holar.gen@MM. The 4323 DATs will add specific detection for this threat.

The worm consists of a 3-file sandwich:

DROPPER COMPONENT | PROPAGATION COMPONENT | SMTP LIBRARY

Propagation component: 29,183 bytes
SMTP library: 25,736 bytes
Dropper component: 67,934 bytes

The dropper component is intended to drop and run the other components. It uses the following icon and file-properties to make it appear to be a ZIP file:

File version: 13.0.0.0
Description: WinZip Executable
Copyright: Copyright (c) WinZip Computing, Inc. 1991-2000 - All Rights Reserved
Comments: StringFileInfo: U.S. English
Company Name: WinZip Computing, Inc.
Internal Name: WINZIP32.EXE
Language: English (United States)
Legal Trademarks: WinZip is a registered trademark of WinZip Computing, Inc
Original Filename: WINZIP32.EXE
Product Name: WinZip
Product Version: 8.0  (3105)
WZ32.DLL: 13,999
WZINET32.DLL: 3,999
WZINFO.DLL: 1,999

Upon execution, the following fake error message is displayed:

Strings within the propagation components suggest the worm is intended to arrive in a message with the subject line and message body chosen from the following list:

• file name from the local system
• blank
• Fw: 
• Re: 
• hey
  Check this out ;)
• Hey I thought you trusted me but ... 
  i haven't ever thought i should send u my briefcase to gain ur Trust .
  Have it all :) bye
• Hey Wussap?
  Here is the Emmy ;) Dont tell Sam abt it
  Cya
• Another one?
• Heyyyy
  I lost the other email , anyway i sent u all u need
• i have just got it , plz tell me if u need more.
  bye
• Heyyyyyyyy Lola Wussaaap??
  I forgot to tell u , the other file is with Sam:) bye
• YO DUMP , IM SICK OF UR EMAILS , IF U LOSE IT AGAIN I WONT GIVE IT TO U, SAVE IT
  BYEEE
• Hey wussap?
  i lost Sara's Email plzz send this file to her :)
  and tell her i can't be online tonight
  Bye
• heyyy
  I can't be online tonight :(
  anyway , i sent u something u r gonna love ;)
  cya tomorrow
• Hi
  i just wanted to say sorry for last night
  and .. i wish u accept this as an apology
  bye dear
• elegant ppl should satisfy thier taste with elegant things ;)
  Wait for more :)
• I've got your email , but you forgot to upload the attachments.
  Don't be selfish , i sent you all the files i have, send me anything :(
• heyyyy i tried many times to send u this email but ur account was out of storage as i think
  any way , make sure that i didn't and i won't forget u :)
  Cya Forgotten :P
• i thing the subject is enough to describe the attached file !
  check it out and replay your opinion
• Hiiiiiii
  i've got this surprise from a friend :)
  it really deserves a few minutes of your time.
• Never mind !
• Attatchments
• See the attatched file
• you seem to be mad @ me coz i didn't send u anything for along time,
  i didn't forget u , but i was kinda busy , i've got all of ur emails
  thanx :) and i hope u accept this one as an apology.
• gift :)
• Surprise!
• i'm fine , thanx for asking :) 
  and thanx for the nice attachements.
  but unfortunately, i don't remember you
  i will be waiting for u emaill to remind me of your self.
  Hummm , i hope u accept this show as an apology.
• save it for hard times
• Happy Times :)
• Useful
• Very funny
• hey wuts up?
• i found this amazing file in my Recycled , i know u love this kind of things ;)
  cyaaa
• you have to see this!
• amazing!

Symptoms

Symptoms -

The presence of the following registry entries:

• HKEY_CURRENT_USER "Cya" =
  This is used as a marker of the number of times the worm has been run.  If the run count exceeds 30, the worm attempts to disable keyboard input. 
  
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "NAV Agent"
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run "SystemChecker" = %SysDir%\SYSCHK.exe
  This is used to run the worm again at Windows Startup.

The presence of the following files:

• %SysDir%\MizZabbat32.exe (67,934 bytes)
• %WinDir%\Sys32s\ZaCker.exe (67,934 bytes)
  These are the Dropper component
  
• %SysDir%\SysChk.exe (29,183 bytes)
  This is the Propagation component
  
• %SysDir%\Smtp.Ocx (25,736 bytes)
  This is the SMTP library.
  
• %WinDir%\Sys32s\Runhelp.cab (6,323 bytes)
• %SysDir%\Runhelp.cab (6,323 bytes)
  These CAB files contain runhelp.inf (107 bytes), which will run ZaCker.exe.  This worm also modifies the folder.htt in the Windows Web folder to run the Runhelp.cab file.

If the worm is unable to perform its mailing payload, it will delete the following file-types:

• JPG
• DOC
• PPS
• RAM
• RM
• XLS
• MDB
• RAR
• MPEG
• MPG
• AVI
• MPE
• ASF

Method of Infection

Method of Infection -

This worm spreads via email, using its SMTP library component.  It may also try to spread via network shares, but this was not observed in testing.

The attachment filename varies, depending on what is present on the victim machine. The first part of the file-name is taken from an existing file-name found on the infected sender's system.  The file-extension that is used is taken form the following list:

• UUE
• MIM
• HQX
• UU
• XXE
• BHX
• EXE

The files to be sent will be copied to the Windows Temp directory, with all the file extensions listed above.  The EXE file is the dropper component which can be run directly. The other files (95,138 bytes) must be opened as an archive, for example with WinZip, which contains the executable dropper component.

Addresses to be used in the TO: and FROM: fields are taken from registry entries relating to MSN and Yahoo Messengers, and from the Microsoft Outlook address book.

Messages contain an X-Mailer field of the standard SMTP library that the virus uses:

• OstroSoft SMTP Control (4.0.19)

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A