McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Hiton.gen@MM

Characteristics

This email worm bears the following characteristics:

• constructs messages using its own SMTP engine
• harvests target email addresses from the victim machine
• spoofs the From: addresses of sent messages
• copies itself locally using various enticing filenames

Proactive Detection
McAfee products running the 4120 DATs or greater detect this threat as virus or variant New Worm with program heuristics (and the scanning of compressed files) enabled.

Mail Propagation

This virus constructs messages using its own SMTP engine, sending them to addresses harvested from the victim machine. The From: address is spoofed.

From : spoofed
Subject : taken from strings within the virus
Body : taken from strings within the virus
Attachment : copy of the worm with varying filename. May be within a ZIP file. Frequently, will have following extension:

• .HTM (many spaces) .EXE

Harvested email addresses are written to the following file:

• %SysDir%\WSICK32.DLL

P2P Propagation

The virus creates the folder .{21EC2020-3AEA-1069-A2DD-08002B30309D} within %WinDir% into which it copies itself multiple times, using various enticing filenames:

• c:\WINNT\.{21EC2020-3AEA-1069-A2DD-08002B30309D}

The virus copies itself into this folder using various enticing filenames carried in its body, for example:

• 3D Studio Max 6 Keygen.exe
• Adobe Atmosphere 1 Crack.exe
• Adobe Illustrator CS Keygen.zip.pif
• Adobe InCopy CS Keygen.exe
• AutoCAD Mechanical 2004 DX Keygen.exe
• Borland C++ Builder X Enterprise Keygen.exe
• Borland Delphi 8 Enterprise Keygen.exe
• Borland JBuilder X Enterprise Keygen.exe
• Counter Strike - Condition Zero Online Crack.exe
• Cyberlink PowerProducer 2 Gold Crack.exe
• Dead to Rights Crack.zip.pif
• Deep Sea Tycoon Keygen.exe
• Easy CD Creator 7 Crack.exe
• FIFA Football 2004 Keygen.exe
• Geomagic Studio V6 Keygen.exe
• InstallShield DevStudio 9 SP1 Crack.exe
• Jack The Ripper Keygen.exe
• L'Entraineur 4 Saison 2003-2004 Multilangue Keygen.exe
• Leadtools Multimedia Imaging Suite Crack.exe
• Legacy of Kain - Defiance Keygen.exe
• MCAfee Internet Security 6 Keygen.exe
• Microsoft Office NET Keygen.exe
• Microsoft Systems Management Server 2003 Keygen.exe
• Microsoft Technet 2004 Keygen.exe
• Microsoft Windows Server 2003 Keygen.exe
• Microsoft Windows XP Media Center Edition 2004 Keygen.exe
• Microsoft Windows XP SP2 No Activation Keygen.exe
• Nero_Burning_Rom_6_0_0_1_9 Crack.exe
• Onimusha Keygen.exe
• Pinnacle Studio v9 Multilanguage Keygen.exe
• Point of Attack 2 Keygen.exe
• PowerDVD 5 Deluxe Keygen.exe
• ScanSoft OmniPage v14 Office Keygen.exe
• School Tycoon Crack.exe
• Symantec Norton Anti Spam 2004 Enterprise Keygen.exe
• Symantec Norton Anti Virus 2004 Enterprise Keygen.exe
• Symantec Norton Systemworks 2004 Enterprise Keygen.exe
• Veritas Backup Exec V91 Keygen.exe
• Wakeboard Unleashed Crack.exe

It also harvests application filenames from the victim machine, writing the filenames to the following file:

• %SysDir%\WSUCK32.DLL

These filenames for some of the copies of itself. Such copies may be within a similarly named ZIP archive as well. For example:

• ntfilmon.exe
• pdump32.exe
• pdump32.zip
• procexpnt.exe
• procexpnt.zip

Symptoms

• Existence of the files/Registry keys detailed here
• Lookup for AV company domain pointing to localhost (127.0.0.1)

Method of Infection

Installation

The virus installs itself into %WinDir% as SVCHOST.EXE, for example:

• C:\WINNT\SVCHOST.EXE

System startup is hooked via the following key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Service Host Driver" = C:\WINNT\svchost.exe

The following Registry key is added:

• HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" = C:\WINNT\svchost.exe

Similarly to W32/Mydoom@MM, the following key is also modified for the dropped DLL to be loaded at startup:

• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-
  9C87-00AA005127ED}\InProcServer32
  "(Default)"

The value is changed from:

• %SystemRoot%\System32\webcheck.dll

to:

• %SysDir%\mssvc.dll

The local hosts file is also overwritten by this virus. It redirects all lookups for domains associated with various AV companies to localhost (127.0.0.1).

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32/Hiton.gen@MM

Characteristics

Characteristics -

This email worm bears the following characteristics:

• constructs messages using its own SMTP engine
• harvests target email addresses from the victim machine
• spoofs the From: addresses of sent messages
• copies itself locally using various enticing filenames

Proactive Detection
McAfee products running the 4120 DATs or greater detect this threat as virus or variant New Worm with program heuristics (and the scanning of compressed files) enabled.

Mail Propagation

This virus constructs messages using its own SMTP engine, sending them to addresses harvested from the victim machine. The From: address is spoofed.

From : spoofed
Subject : taken from strings within the virus
Body : taken from strings within the virus
Attachment : copy of the worm with varying filename. May be within a ZIP file. Frequently, will have following extension:

• .HTM (many spaces) .EXE

Harvested email addresses are written to the following file:

• %SysDir%\WSICK32.DLL

P2P Propagation

The virus creates the folder .{21EC2020-3AEA-1069-A2DD-08002B30309D} within %WinDir% into which it copies itself multiple times, using various enticing filenames:

• c:\WINNT\.{21EC2020-3AEA-1069-A2DD-08002B30309D}

The virus copies itself into this folder using various enticing filenames carried in its body, for example:

• 3D Studio Max 6 Keygen.exe
• Adobe Atmosphere 1 Crack.exe
• Adobe Illustrator CS Keygen.zip.pif
• Adobe InCopy CS Keygen.exe
• AutoCAD Mechanical 2004 DX Keygen.exe
• Borland C++ Builder X Enterprise Keygen.exe
• Borland Delphi 8 Enterprise Keygen.exe
• Borland JBuilder X Enterprise Keygen.exe
• Counter Strike - Condition Zero Online Crack.exe
• Cyberlink PowerProducer 2 Gold Crack.exe
• Dead to Rights Crack.zip.pif
• Deep Sea Tycoon Keygen.exe
• Easy CD Creator 7 Crack.exe
• FIFA Football 2004 Keygen.exe
• Geomagic Studio V6 Keygen.exe
• InstallShield DevStudio 9 SP1 Crack.exe
• Jack The Ripper Keygen.exe
• L'Entraineur 4 Saison 2003-2004 Multilangue Keygen.exe
• Leadtools Multimedia Imaging Suite Crack.exe
• Legacy of Kain - Defiance Keygen.exe
• MCAfee Internet Security 6 Keygen.exe
• Microsoft Office NET Keygen.exe
• Microsoft Systems Management Server 2003 Keygen.exe
• Microsoft Technet 2004 Keygen.exe
• Microsoft Windows Server 2003 Keygen.exe
• Microsoft Windows XP Media Center Edition 2004 Keygen.exe
• Microsoft Windows XP SP2 No Activation Keygen.exe
• Nero_Burning_Rom_6_0_0_1_9 Crack.exe
• Onimusha Keygen.exe
• Pinnacle Studio v9 Multilanguage Keygen.exe
• Point of Attack 2 Keygen.exe
• PowerDVD 5 Deluxe Keygen.exe
• ScanSoft OmniPage v14 Office Keygen.exe
• School Tycoon Crack.exe
• Symantec Norton Anti Spam 2004 Enterprise Keygen.exe
• Symantec Norton Anti Virus 2004 Enterprise Keygen.exe
• Symantec Norton Systemworks 2004 Enterprise Keygen.exe
• Veritas Backup Exec V91 Keygen.exe
• Wakeboard Unleashed Crack.exe

It also harvests application filenames from the victim machine, writing the filenames to the following file:

• %SysDir%\WSUCK32.DLL

These filenames for some of the copies of itself. Such copies may be within a similarly named ZIP archive as well. For example:

• ntfilmon.exe
• pdump32.exe
• pdump32.zip
• procexpnt.exe
• procexpnt.zip

Symptoms

Symptoms -

• Existence of the files/Registry keys detailed here
• Lookup for AV company domain pointing to localhost (127.0.0.1)

Method of Infection

Method of Infection -

Installation

The virus installs itself into %WinDir% as SVCHOST.EXE, for example:

• C:\WINNT\SVCHOST.EXE

System startup is hooked via the following key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Service Host Driver" = C:\WINNT\svchost.exe

The following Registry key is added:

• HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" = C:\WINNT\svchost.exe

Similarly to W32/Mydoom@MM, the following key is also modified for the dropped DLL to be loaded at startup:

• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-
  9C87-00AA005127ED}\InProcServer32
  "(Default)"

The value is changed from:

• %SystemRoot%\System32\webcheck.dll

to:

• %SysDir%\mssvc.dll

The local hosts file is also overwritten by this virus. It redirects all lookups for domains associated with various AV companies to localhost (127.0.0.1).

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A