Content
W32/Hakaglan.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 03/19/2007
- Length
- 268.288
- Minimum DAT
- 4988 (03/20/2007)
- Updated DAT
- 4988 (03/20/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 03/19/2007
- Description Modified
- 03/19/2007 3:15 AM (PT)
Tab Navigation
Characteristics
W32/Hakaglan.worm is a virus that makes use of an AutoIt script to spread.
Detection was added to cover protection against a malicious 32 bit PE file called "F_DRIVE.exe" , having a filesize of 268.288 bytes decimal. The worm makes use of an AutoIt script to spread. To further conceal its intentions it is internally compressed with the upx packer.
When looking at the file with the windows explorer, its icon looks a bit like a folder - this is just a means to get the user to doubleclick on it unkowingly.
Upon running, it runs silently , no gui messageboxes appear on the screen.
In the meantime it has already copied itself on the system as "rvhost.exe" and made registry entries to launch itself.
- c:\WINNT\RVHOST.exe (268.288 byte identical to f_drive.exe)
- c:\WINNT\system32\RVHOST.exe (268.288 bytes)
- c:\WINNT\Tasks\At1.job ( 342 bytes)
Data: C:\WINNT\System32\RVHOST.exe
It does have some side-effects such as disabling the Windows Task Manager.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NofolderOptions"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"
Symptoms
- Presence of the "F_DRIVE.exe" and/or "rvhost.exe" , having a filesize of 268.288 bytes
- Presence of registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Yahoo Messengger"
Data: C:\WINNT\System32\RVHOST.exe
It does have some side-effects such as disabling the Windows Task Manager.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NofolderOptions"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"
Method of Infection
Manual infection - there's no exploit associated with it.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
W32/Hakaglan.worm is a virus that makes use of an AutoIt script to spread.
Aliases
- Trojan.Agent.ahe (Rising)
- W32/SillyFDC-G (Sophos)
- W32/SillyFDC.G (Fortinet)
- W32/Sohanat.BD.worm (Panda)
- Win32.HLLW.Cung (Doctor web)
- Win32/Nuqel.A (Ca vet)
- Win32:Hakaglan [Wrm] (Alwil)
- Worm.Hakaglan.B (Virusbuster)
- Worm.Win32.AutoIt.e (Kaspersky)
- Worm/Hakaglan.A.2 (H+BEDV)
Characteristics
Characteristics -
W32/Hakaglan.worm is a virus that makes use of an AutoIt script to spread.
Detection was added to cover protection against a malicious 32 bit PE file called "F_DRIVE.exe" , having a filesize of 268.288 bytes decimal. The worm makes use of an AutoIt script to spread. To further conceal its intentions it is internally compressed with the upx packer.
When looking at the file with the windows explorer, its icon looks a bit like a folder - this is just a means to get the user to doubleclick on it unkowingly.
Upon running, it runs silently , no gui messageboxes appear on the screen.
In the meantime it has already copied itself on the system as "rvhost.exe" and made registry entries to launch itself.
- c:\WINNT\RVHOST.exe (268.288 byte identical to f_drive.exe)
- c:\WINNT\system32\RVHOST.exe (268.288 bytes)
- c:\WINNT\Tasks\At1.job ( 342 bytes)
Data: C:\WINNT\System32\RVHOST.exe
It does have some side-effects such as disabling the Windows Task Manager.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NofolderOptions"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"
Symptoms
Symptoms -
- Presence of the "F_DRIVE.exe" and/or "rvhost.exe" , having a filesize of 268.288 bytes
- Presence of registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Yahoo Messengger"
Data: C:\WINNT\System32\RVHOST.exe
It does have some side-effects such as disabling the Windows Task Manager.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NofolderOptions"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule "AtTaskMaxHours"
Method of Infection
Method of Infection -
Manual infection - there's no exploit associated with it.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
