McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Hadra (F-Secure)

• I-Worm.Hydra (AVP)

• W32.Hyd@mm (NAV)

• Win32.Hydra.12249 (CA)

Characteristics

This mailing worm sends itself to mail recipients when ordinary mail is sent out via Microsoft Outlook . Upon sending an email message with no attachments, the worm attaches itself using a random 8 character name and an .EXE extension (15KB). If an attachment is present, the worm replaces that attachment with itself, using the same name and the .EXE extension in place of the current extension. When a recipient executes this attachment, their machine is then used to propagate the virus, often without their knowledge. All new and sent mail items that contain the worm attachment are deleted by the worm.

On Friday the 13th between 1:00 PM and 2:00 PM the following thet is prepended to the message body prior to sending:
[I-Worm.Hydra] ...by gl_st0rm of [mions]

When run, the worm copies itself to the WINDOWS directory as MSSERV.EXE and creates several registry run keys to load itself at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\
Run\msservice=%WinDir%\msserv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\
RunServices\msservice=%WinDir%\msserv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\msservice=%WinDir%\msserv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\msservice=%WinDir%\msserv.exe

The MSCONFIG.EXE file is deleted and each of the following processes are terminated immediately after they are loaded:

Amon
AntiVir
AVG
AVP Monitor
Dr.Web
F-Secure
F-STOPW
File Monitor
InoculateIT
Iomon98
navpw32
NOD32
Norman Virus Control
Norton AntiVirus
Registry Editor
Registry Monitor
Task Manager
Trend PC-cillin
vettray
Vshwin

The valid SETI (Search for Extraterrestrial Intelligence) software is downloaded from one of the following FTP sites and then installed:

ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe

The SETI configuration files USER_INFO.SAH and VERSION.SAH are created in the WINDOWS directory. RUN_MSSETI.VBS and MSSETI.BAT are created in the WINDOWS directory, to run the SETI program. Two registry keys are created to run the VBScript at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\msseti=WScript.exe %WinDir%\run_msseti.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\msseti=WScript.exe %WinDir%\run_msseti.vbs

Symptoms

- Presence of MSSERV.EXE, RUN_MSSETI.VBS, and/or MSSETI.BAT in the WINDOWS directory
- Messages sent via Outlook on an infected machine will not store copies of sent items, even with the proper mail settings

Method of Infection

This worm sends itself to mail recipients when ordinary mail is sent out via Microsoft Outlook. The MSSERV service hooks the SEND MAIL action and modifies messages to include the worm as an attachment. Executing this attachment infects the local system which is then used to propagate the virus.

Removal

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

• Restart the computer in MS-DOS mode
• Delete the files mentioned
• Restart Windows
• Delete the registry keys as mentioned

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Hadra (F-Secure)

• I-Worm.Hydra (AVP)

• W32.Hyd@mm (NAV)

• Win32.Hydra.12249 (CA)

Characteristics

Characteristics -

This mailing worm sends itself to mail recipients when ordinary mail is sent out via Microsoft Outlook . Upon sending an email message with no attachments, the worm attaches itself using a random 8 character name and an .EXE extension (15KB). If an attachment is present, the worm replaces that attachment with itself, using the same name and the .EXE extension in place of the current extension. When a recipient executes this attachment, their machine is then used to propagate the virus, often without their knowledge. All new and sent mail items that contain the worm attachment are deleted by the worm.

On Friday the 13th between 1:00 PM and 2:00 PM the following thet is prepended to the message body prior to sending:
[I-Worm.Hydra] ...by gl_st0rm of [mions]

When run, the worm copies itself to the WINDOWS directory as MSSERV.EXE and creates several registry run keys to load itself at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\
Run\msservice=%WinDir%\msserv.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\
RunServices\msservice=%WinDir%\msserv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\msservice=%WinDir%\msserv.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\msservice=%WinDir%\msserv.exe

The MSCONFIG.EXE file is deleted and each of the following processes are terminated immediately after they are loaded:

Amon
AntiVir
AVG
AVP Monitor
Dr.Web
F-Secure
F-STOPW
File Monitor
InoculateIT
Iomon98
navpw32
NOD32
Norman Virus Control
Norton AntiVirus
Registry Editor
Registry Monitor
Task Manager
Trend PC-cillin
vettray
Vshwin

The valid SETI (Search for Extraterrestrial Intelligence) software is downloaded from one of the following FTP sites and then installed:

ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe

The SETI configuration files USER_INFO.SAH and VERSION.SAH are created in the WINDOWS directory. RUN_MSSETI.VBS and MSSETI.BAT are created in the WINDOWS directory, to run the SETI program. Two registry keys are created to run the VBScript at startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\msseti=WScript.exe %WinDir%\run_msseti.vbs

HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\msseti=WScript.exe %WinDir%\run_msseti.vbs

Symptoms

Symptoms -

- Presence of MSSERV.EXE, RUN_MSSETI.VBS, and/or MSSETI.BAT in the WINDOWS directory
- Messages sent via Outlook on an infected machine will not store copies of sent items, even with the proper mail settings

Method of Infection

Method of Infection -

This worm sends itself to mail recipients when ordinary mail is sent out via Microsoft Outlook. The MSSERV service hooks the SEND MAIL action and modifies messages to include the worm as an attachment. Executing this attachment infects the local system which is then used to propagate the virus.

Removal -

Removal -

All Windows Users:
Use current engine and DAT files for detection and removal.

Manual Removal Instructions

• Restart the computer in MS-DOS mode
• Delete the files mentioned
• Restart Windows
• Delete the registry keys as mentioned

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A