Content

W32/Xiaoho.worm

Type
Virus
SubType
Worm
Discovery Date
08/01/2007
Length
Varies
Minimum DAT
5088 (08/01/2007)
Updated DAT
5344 (07/22/2008)
Minimum Engine
5.1.00
Description Added
08/01/2007
Description Modified
08/18/2007 1:55 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

 -- Update August 18, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://shanghaiist.com/2007/08/17/vicious_new_chi.php

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

This detection is for a worm which tries to copy itself to removable drives. It will destroy systems it's used on by infecting all .exe files and changing their icons to the Chinese character HAO.

Upon execution, the worm drops a copy of itself into the Windows System folder:

  • %SysDir%\exloroe.exe

The worm creates the following registry keys to activate itself:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\: "ϵͳÉèÖÃ"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath: "%SystemRoot%\system32\exloroe.exe"

It spreads by dropping files named autorun.inf and xiaohao.exe on removable drives and setting file attributes as hidden.

The worm infects .exe files by overwriting them or corrupting them beyond repair. This changes their icon to Chinese word HAO.

and changes active window title as "X14o-H4o":

The file C:\Jilu.txt is created to list all the infected files.

The worm also infects .html, .htm, .asp and other script files by inserting iframe with a reference a remote URL.

It also changes system time to Jan 17, 2005 to try to disable antivirus programs.

Symptoms

  • The infected files' icons change to be the Chinese character HAO.
  • Active windows have their title changed to "X14o-H4o',27h,'s Virus"

Method of Infection

This worm may come via malicious link, or it may be spread by its intended method of infected removable drives.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a worm which tries to copy itself to removable drives. It will destroy systems it's used on by infecting all .exe files and changing their icons to a Chinese character.

Aliases

  • Virus.Win32.Agent.ai
  • Virus.Win32.Agent.o
  • W32.Hauxi
  • W32/Hoaix-A
  • W32/XiaoHao.A

Characteristics

Characteristics -

 -- Update August 18, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://shanghaiist.com/2007/08/17/vicious_new_chi.php

To receive an extra.dat file for this threat please visit: https://www.webimmune.net/extra/getextra.aspx

This detection is for a worm which tries to copy itself to removable drives. It will destroy systems it's used on by infecting all .exe files and changing their icons to the Chinese character HAO.

Upon execution, the worm drops a copy of itself into the Windows System folder:

  • %SysDir%\exloroe.exe

The worm creates the following registry keys to activate itself:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\: "ϵͳÉèÖÃ"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath: "%SystemRoot%\system32\exloroe.exe"

It spreads by dropping files named autorun.inf and xiaohao.exe on removable drives and setting file attributes as hidden.

The worm infects .exe files by overwriting them or corrupting them beyond repair. This changes their icon to Chinese word HAO.

and changes active window title as "X14o-H4o":

The file C:\Jilu.txt is created to list all the infected files.

The worm also infects .html, .htm, .asp and other script files by inserting iframe with a reference a remote URL.

It also changes system time to Jan 17, 2005 to try to disable antivirus programs.

Symptoms

Symptoms -

  • The infected files' icons change to be the Chinese character HAO.
  • Active windows have their title changed to "X14o-H4o',27h,'s Virus"

Method of Infection

Method of Infection -

This worm may come via malicious link, or it may be spread by its intended method of infected removable drives.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A