McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Hunch (AVP)

• W32.Hunch@mm (NAV)

• W32/Hunch (Panda)

• W32/Hunch.b@MM

• W32/Hunch@MM

• Win32.Hunch (CA)

• Worm/Hunch.B (AVX)

• WORM_HUNCH.A (Trend)

Characteristics

This threat is detected with the 4140 DATs (or higher) as New Backdoor or New Worm, when scanning with program heuristics enabled.

This mass-mailing worm sends itself to all addresses found in the Microsoft Outlook Address book, copies itself to floppy diskettes, and deletes files on the local system. It arrives in an email message containing the following information:

Subject: FileName of the executable (varies).
Body: Mensaje importante para (recipient's name) en el archivo adjunto...
Attachment: Infected executable (varies).EXE

Running the attachment infects the local machine. A window containing an image is displayed.

The virus copies itself to the WINDOWS SYSTEM directory as THWIN.EXE and MSWORD.EXE. Two registry keys are created to load the virus at startup.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\THWIN=C:\WINDOWS\SYSTEM\THWIN.EXE
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices\THWIN=C:\WINDOWS\SYSTEM\THWIN.EXE

The virus deletes 5 files in the WINDOWS directory and subdirectories using the following extensions:

• BAK
• BMP
• CDX
• CHM
• DBF
• DOC
• DWG
• GIF
• HLP
• HTM
• ICO
• JPG
• MDB
• MID
• MP3
• SCR
• TTF
• WAV
• XLS

Periodically the virus saves a copy of itself on the root of A:\ by selecting an existing filename on the drive (ie. if the file A:\temp.dll exists, the virus copies itself to A:\temp.dll.EXE). The attributes of the original file are set to hidden. A copy may also be saved to A:\UNSCH.doc.EXE.

The virus attempts to overwrite the AUTOEXEC.BAT file with the following instructions:

@echo off
DEL > FORMAT C: /u /v:UNSCH /autotest

Actions performed by the worm are written to 2 files in the WINDOWS SYSTEM directory.

• ListWin.txt (a log file of the last 5 files that the virus deleted)
• WinList.txt (a log file of the filenames that the virus used to copy itself to the A: drive with)

Symptoms

Presence of the following files in the WINDOWS SYSTEM directory.

THWIN.EXE

MSWORD.EXE

ListWin.txt

WinList.txt

Method of Infection

Executing this virus causes it to send itself to all users found in the Microsoft Outlook Address book and to the A: drive. Files in the WINDOWS directory and subdirectories are deleted.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Hunch (AVP)

• W32.Hunch@mm (NAV)

• W32/Hunch (Panda)

• W32/Hunch.b@MM

• W32/Hunch@MM

• Win32.Hunch (CA)

• Worm/Hunch.B (AVX)

• WORM_HUNCH.A (Trend)

Characteristics

Characteristics -

This threat is detected with the 4140 DATs (or higher) as New Backdoor or New Worm, when scanning with program heuristics enabled.

This mass-mailing worm sends itself to all addresses found in the Microsoft Outlook Address book, copies itself to floppy diskettes, and deletes files on the local system. It arrives in an email message containing the following information:

Subject: FileName of the executable (varies).
Body: Mensaje importante para (recipient's name) en el archivo adjunto...
Attachment: Infected executable (varies).EXE

Running the attachment infects the local machine. A window containing an image is displayed.

The virus copies itself to the WINDOWS SYSTEM directory as THWIN.EXE and MSWORD.EXE. Two registry keys are created to load the virus at startup.

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run\THWIN=C:\WINDOWS\SYSTEM\THWIN.EXE
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  RunServices\THWIN=C:\WINDOWS\SYSTEM\THWIN.EXE

The virus deletes 5 files in the WINDOWS directory and subdirectories using the following extensions:

• BAK
• BMP
• CDX
• CHM
• DBF
• DOC
• DWG
• GIF
• HLP
• HTM
• ICO
• JPG
• MDB
• MID
• MP3
• SCR
• TTF
• WAV
• XLS

Periodically the virus saves a copy of itself on the root of A:\ by selecting an existing filename on the drive (ie. if the file A:\temp.dll exists, the virus copies itself to A:\temp.dll.EXE). The attributes of the original file are set to hidden. A copy may also be saved to A:\UNSCH.doc.EXE.

The virus attempts to overwrite the AUTOEXEC.BAT file with the following instructions:

@echo off
DEL > FORMAT C: /u /v:UNSCH /autotest

Actions performed by the worm are written to 2 files in the WINDOWS SYSTEM directory.

• ListWin.txt (a log file of the last 5 files that the virus deleted)
• WinList.txt (a log file of the filenames that the virus used to copy itself to the A: drive with)

Symptoms

Symptoms -

Presence of the following files in the WINDOWS SYSTEM directory.

THWIN.EXE

MSWORD.EXE

ListWin.txt

WinList.txt

Method of Infection

Method of Infection -

Executing this virus causes it to send itself to all users found in the Microsoft Outlook Address book and to the A: drive. Files in the WINDOWS directory and subdirectories are deleted.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A