Content

W32/Heiku

Type
Virus
SubType
Win32
Discovery Date
11/30/2007
Length
39424 bytes
Minimum DAT
5175 (11/30/2007)
Updated DAT
5175 (11/30/2007)
Minimum Engine
5.1.00
Description Added
11/30/2007
Description Modified
12/05/2007 11:41 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This worm will modify Internet Explorer's start page and change the window title. It will also modify some registry system settings keys to prevent user from reversing its changes. The worm will hide folders and masquerade duplicates of itself as folders.

It will delete the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DefaultIcon\: "%SystemRoot%\System32\shell32.dll,3"

The following registry keys are added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DefaultIcon\: "%SYSDIR%\filesrv32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IeakHelpString: "I will always be with you, Huelar!"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft File Server Manager 2.36: "%SYSDIR%\filesrv32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Heiku - Munist: "%SYSDIR%\EraleuH.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EnableHeikus: "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InstallDate: "11/1/2007"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title: "Freak-X Browser"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001

Modified registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page: "http://www.hentai[removed].com/"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.hentai[removed].com/"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000000

The worm duplicates itself as the following files:

  • %DOCUMENTSETTINGS%\All Users\Documents\Admin Files.exe
  • %DOCUMENTSETTINGS%\All Users\Documents\MP3 Files.exe
  • %DOCUMENTSETTINGS%\All Users\Documents\My Media Files.exe \
  • %DOCUMENTSETTINGS%\All Users\Templates\Excel templates.exe
  • %DOCUMENTSETTINGS%\All Users\Templates\PowerPoint temlates.exe
  • %DOCUMENTSETTINGS%\username\Desktop\User.exe
  • %SYSDIR%\Aquarium 200.scr
  • %SYSDIR%\EraleuH.exe
  • %SYSDIR%\filesrv32.exe
  • %ROOTDIR%:\.exe

It adds these files:

  • %DOCUMENTSETTINGS%\username\Favorites\Links\Free Porn Anime.url
  • %DOCUMENTSETTINGS%\username\Favorites\Links\Mouth Fuck'in Action.url
  • %DOCUMENTSETTINGS%\username\Favorites\Links\My Sex Videos.url
  • %DOCUMENTSETTINGS%\username\Favorites\Links\Online Sex Videos.url
  • %DOCUMENTSETTINGS%\username\Favorites\Links\Philippine Underground.url
  • %WINDIR%\huelar.txt

Folders added:

  • %DOCUMENTSETTINGS%\username\Desktop\User

The worm will also attempt to spread through a floppy drive if available by copying itself to:

  • A:\Saved Documents.exe
  • A:\My Videos.exe
  • A:\My Music.exe
  • A:\Important Documents.exe
  • A:\Gerger_files.exe
  • A:\drvspace.com

(where %SYSDIR% is Windows system32 directory e.g. C:\Windows\system32
%WINDDIR% is Windows directory e.g. C:\Windows
%DOCUMENTSETTINGS% is Windows Documents and Settings directory e.g. C:\Documents and Settings
%ROOTDIR% is Windows root directory e.g. C:\)

 

Symptoms

Presence of previously mentioned files.
Unexpected change to Internet Explorer start page.

Method of Infection

It attempts to spread through floppy disk.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This worm will modify Internet Explorer's start page and change the window title. It will also modify some registry system settings keys to prevent user from reversing its changes. The worm will hide folders and masquerade duplicates of itself as folders.

Aliases

  • W32.Heular (Symantec)

Characteristics

Characteristics -

This worm will modify Internet Explorer's start page and change the window title. It will also modify some registry system settings keys to prevent user from reversing its changes. The worm will hide folders and masquerade duplicates of itself as folders.

It will delete the following registry key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DefaultIcon\: "%SystemRoot%\System32\shell32.dll,3"

The following registry keys are added:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DefaultIcon\: "%SYSDIR%\filesrv32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IeakHelpString: "I will always be with you, Huelar!"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft File Server Manager 2.36: "%SYSDIR%\filesrv32.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Heiku - Munist: "%SYSDIR%\EraleuH.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EnableHeikus: "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InstallDate: "11/1/2007"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title: "Freak-X Browser"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001

Modified registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page: "http://www.hentai[removed].com/"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page: "http://www.hentai[removed].com/"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: 0x00000000

The worm duplicates itself as the following files:

  • %DOCUMENTSETTINGS%\All Users\Documents\Admin Files.exe
  • %DOCUMENTSETTINGS%\All Users\Documents\MP3 Files.exe
  • %DOCUMENTSETTINGS%\All Users\Documents\My Media Files.exe \
  • %DOCUMENTSETTINGS%\All Users\Templates\Excel templates.exe
  • %DOCUMENTSETTINGS%\All Users\Templates\PowerPoint temlates.exe
  • %DOCUMENTSETTINGS%\username\Desktop\User.exe
  • %SYSDIR%\Aquarium 200.scr
  • %SYSDIR%\EraleuH.exe
  • %SYSDIR%\filesrv32.exe
  • %ROOTDIR%:\.exe

It adds these files:

  • %DOCUMENTSETTINGS%\username\Favorites\Links\Free Porn Anime.url
  • %DOCUMENTSETTINGS%\username\Favorites\Links\Mouth Fuck'in Action.url
  • %DOCUMENTSETTINGS%\username\Favorites\Links\My Sex Videos.url
  • %DOCUMENTSETTINGS%\username\Favorites\Links\Online Sex Videos.url
  • %DOCUMENTSETTINGS%\username\Favorites\Links\Philippine Underground.url
  • %WINDIR%\huelar.txt

Folders added:

  • %DOCUMENTSETTINGS%\username\Desktop\User

The worm will also attempt to spread through a floppy drive if available by copying itself to:

  • A:\Saved Documents.exe
  • A:\My Videos.exe
  • A:\My Music.exe
  • A:\Important Documents.exe
  • A:\Gerger_files.exe
  • A:\drvspace.com

(where %SYSDIR% is Windows system32 directory e.g. C:\Windows\system32
%WINDDIR% is Windows directory e.g. C:\Windows
%DOCUMENTSETTINGS% is Windows Documents and Settings directory e.g. C:\Documents and Settings
%ROOTDIR% is Windows root directory e.g. C:\)

 

Symptoms

Symptoms -

Presence of previously mentioned files.
Unexpected change to Internet Explorer start page.

Method of Infection

Method of Infection -

It attempts to spread through floppy disk.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A