Content

W32/Hobbit.b@MM

Type
Virus
SubType
E-mail worm
Discovery Date
10/02/2002
Length
23,040 bytes
Minimum DAT
4228 (10/09/2002)
Updated DAT
4412 (12/08/2004)
Minimum Engine
5.1.00
Description Added
10/03/2002
Description Modified
10/09/2002 5:04 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as New Worm or New Backdoor with the 4127-4227 dats when scanning compressed files with program heuristics enabled. Named detection went into the 4228 DATs.

Written in Visual Basic, this virus attempts to spread by mailing itself to email addresses extracted from the temporary internet files, and sharing itself using the KaZaa peer-to-peer file sharing network. The original source code has been released, leading to multiple compilations of this virus.

This worm arrives as in an email message containing the following information:

From: varies, but may be AntiVirus@Nai.com
Subject: AntiVirus Updates:
Body: A Removal to scan for the new BugBear Virus. Recommended by%senders name% (note there is no space after the word "by")

Attachments: One of the following .theme files and one of the non-.theme files

  • aCe1.theme
  • AddamsFamily.them
  • BackstreetBoys.theme
  • BritneySpearsNude.theme
  • ChristinaAguilera.theme
  • CourtneyCoxNude.theme
  • Credit Cards.exe
  • DragonballZ.theme
  • DrNo.theme
  • Goldfinger.theme
  • Hackers.theme
  • JamesBond.theme
  • kn0x.theme
  • LearnHTML.zip
  • LordoftheRings.theme
  • MichelleBranch.theme
  • NicoleKidmanF**k.theme
  • NSync.theme
  • PlayboyCenterFolds.theme
  • SamuraiX.theme
  • Shakira Nude.theme
  • Shrek.theme
  • StarWars.theme
  • temp.theme
  • TheHives.theme
  • XXX.theme

    The following files may have a .bat, .exe, .pif, or .scr extension

  • Anti 0190 Dialer
  • Bearshare_Fix
  • Beyond_FF11
  • Borland Delphi 6 Key
  • Borland Delphi(all) Crack
  • Britney Spears Nude
  • Claudia_Schiffer
  • Cube Emulator
  • Edonkey_Fix
  • Email Bomber
  • Final_Fantasy10
  • Flock_Update
  • FTP Cracker
  • FullSpeed
  • Hotmail Hacker Tool
  • I-Explorer7.0
  • Jenifer Lopez Naked
  • Kaza_Fix
  • Kaza_Lite_Update_Fix
  • McAffea_KeyGen
  • Morpheus_Update_Fix
  • New_Napster_Clone
  • Pamela_Live_F**king
  • Ps2 Crack
  • Ps2 Emulator
  • Reboot
  • Shakira Nude
  • Symantec_KeyGen
  • WinMx Hack
  • WinXP_Crack
  • XBox Emulator

    One of the above mentioned files may be contained in a .ZIP file with the following names (the .ZIP may be corrupted)

  • AlexanderGrahamBellSecrets
  • CIASecrets
  • CounterStrikeCheats
  • CplusplusUnleashed
  • CreditCardNumbers
  • CreditCards
  • DisneyBedTimeStories
  • EroticStories
  • Hacking101
  • JokeForTheDay
  • LearnCSharp
  • LearnHTML
  • LearnKylix
  • LearnPHP
  • LearnVisualBasic.NET
  • LearnVisualBasic
  • LearnVisualC
  • LearnVisualFoxPro
  • MakeMillions
  • NewsweekSeptemberEditionCompressed
  • NikolaTeslaNotes
  • Phreaking
  • SecretsOfAlbertEinstein
  • SecretsOfMicrosoftdotNET
  • StephenKingUnreleasedNotes
  • ThomasEdisonSecrets
  • TipsOnMakingYourPartnerWild
  • TroubleshootingyourComputer
  • VirusWriting
  • YouWantToBeAMillionaire
When one of the .BAT, .EXE, .PIF, or .SCR files is run, the worm copies itself to the %WinDir% directory as Shizzle.exe and a registry run key is created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "WinSrv"=C:\WINDOWS\Shizzle.exe
The .theme files that are attached to the message are also dropped on the infected system. They contain a 21 byte BAT file with the following instructions:

@echo off
ctty nul

The virus contains a payload to use PING to initiate a Denial of Service attack against www.dokfleed.net

Symptoms

A moment after the worm is run, a message box is displayed:

kn0x 0wnz System Not Infected with Bugbear

The virus copies itself to the following directories if they exist:
  • \PROGRAM FILES\KAZAA\MY SHARED FOLDER
  • \KAZAA\MY SHARED FOLDER
The following filenames are used
  • All GamesHack.exe
  • HotMailHack.exe
  • ICQ Password Hack.exe
  • Macromedia Flash MX.exe
  • Swat 3 Full Download.exe
  • Tacony.exe
  • Unreal Tournament 3 FullDownloader.exe
  • WarCraft III Full.exe
  • WIN XPCrack.exe
The virus has a payload to apply a system policy that hides the desktop.

Method of Infection

The worm gathers email addresses from the Outlook Address book, and "mailto" links contained in cached Internet web pages (*.html). The harvested addresses are stored in the file EMAIL.TXT in the current directory. The worm attempts to send itself to these addresses using MAPI messaging and its own SMTP engine, using the default SMTP server stored in the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
    Accounts\00000001\SMTP Server
The worm also attempts to download a file from a remote URL (in the mirror.ac.uk domain) and save it locally as ZIPPY.EXE. This is presumably used to save a .ZIP copy of the worm for mailing.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This threat is detected as New Worm or New Backdoor with the 4127-4227 dats when scanning compressed files with program heuristics enabled. Named detection went into the 4228 DATs.

Written in Visual Basic, this virus attempts to spread by mailing itself to email addresses extracted from the temporary internet files, and sharing itself using the KaZaa peer-to-peer file sharing network. The original source code has been released, leading to multiple compilations of this virus.

This worm arrives as in an email message containing the following information:

From: varies, but may be AntiVirus@Nai.com
Subject: AntiVirus Updates:
Body: A Removal to scan for the new BugBear Virus. Recommended by%senders name% (note there is no space after the word "by")

Attachments: One of the following .theme files and one of the non-.theme files

  • aCe1.theme
  • AddamsFamily.them
  • BackstreetBoys.theme
  • BritneySpearsNude.theme
  • ChristinaAguilera.theme
  • CourtneyCoxNude.theme
  • Credit Cards.exe
  • DragonballZ.theme
  • DrNo.theme
  • Goldfinger.theme
  • Hackers.theme
  • JamesBond.theme
  • kn0x.theme
  • LearnHTML.zip
  • LordoftheRings.theme
  • MichelleBranch.theme
  • NicoleKidmanF**k.theme
  • NSync.theme
  • PlayboyCenterFolds.theme
  • SamuraiX.theme
  • Shakira Nude.theme
  • Shrek.theme
  • StarWars.theme
  • temp.theme
  • TheHives.theme
  • XXX.theme

    The following files may have a .bat, .exe, .pif, or .scr extension

  • Anti 0190 Dialer
  • Bearshare_Fix
  • Beyond_FF11
  • Borland Delphi 6 Key
  • Borland Delphi(all) Crack
  • Britney Spears Nude
  • Claudia_Schiffer
  • Cube Emulator
  • Edonkey_Fix
  • Email Bomber
  • Final_Fantasy10
  • Flock_Update
  • FTP Cracker
  • FullSpeed
  • Hotmail Hacker Tool
  • I-Explorer7.0
  • Jenifer Lopez Naked
  • Kaza_Fix
  • Kaza_Lite_Update_Fix
  • McAffea_KeyGen
  • Morpheus_Update_Fix
  • New_Napster_Clone
  • Pamela_Live_F**king
  • Ps2 Crack
  • Ps2 Emulator
  • Reboot
  • Shakira Nude
  • Symantec_KeyGen
  • WinMx Hack
  • WinXP_Crack
  • XBox Emulator

    One of the above mentioned files may be contained in a .ZIP file with the following names (the .ZIP may be corrupted)

  • AlexanderGrahamBellSecrets
  • CIASecrets
  • CounterStrikeCheats
  • CplusplusUnleashed
  • CreditCardNumbers
  • CreditCards
  • DisneyBedTimeStories
  • EroticStories
  • Hacking101
  • JokeForTheDay
  • LearnCSharp
  • LearnHTML
  • LearnKylix
  • LearnPHP
  • LearnVisualBasic.NET
  • LearnVisualBasic
  • LearnVisualC
  • LearnVisualFoxPro
  • MakeMillions
  • NewsweekSeptemberEditionCompressed
  • NikolaTeslaNotes
  • Phreaking
  • SecretsOfAlbertEinstein
  • SecretsOfMicrosoftdotNET
  • StephenKingUnreleasedNotes
  • ThomasEdisonSecrets
  • TipsOnMakingYourPartnerWild
  • TroubleshootingyourComputer
  • VirusWriting
  • YouWantToBeAMillionaire
When one of the .BAT, .EXE, .PIF, or .SCR files is run, the worm copies itself to the %WinDir% directory as Shizzle.exe and a registry run key is created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "WinSrv"=C:\WINDOWS\Shizzle.exe
The .theme files that are attached to the message are also dropped on the infected system. They contain a 21 byte BAT file with the following instructions:

@echo off
ctty nul

The virus contains a payload to use PING to initiate a Denial of Service attack against www.dokfleed.net

Symptoms

Symptoms -

A moment after the worm is run, a message box is displayed:

kn0x 0wnz System Not Infected with Bugbear

The virus copies itself to the following directories if they exist:
  • \PROGRAM FILES\KAZAA\MY SHARED FOLDER
  • \KAZAA\MY SHARED FOLDER
The following filenames are used
  • All GamesHack.exe
  • HotMailHack.exe
  • ICQ Password Hack.exe
  • Macromedia Flash MX.exe
  • Swat 3 Full Download.exe
  • Tacony.exe
  • Unreal Tournament 3 FullDownloader.exe
  • WarCraft III Full.exe
  • WIN XPCrack.exe
The virus has a payload to apply a system policy that hides the desktop.

Method of Infection

Method of Infection -

The worm gathers email addresses from the Outlook Address book, and "mailto" links contained in cached Internet web pages (*.html). The harvested addresses are stored in the file EMAIL.TXT in the current directory. The worm attempts to send itself to these addresses using MAPI messaging and its own SMTP engine, using the default SMTP server stored in the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
    Accounts\00000001\SMTP Server
The worm also attempts to download a file from a remote URL (in the mirror.ac.uk domain) and save it locally as ZIPPY.EXE. This is presumably used to save a .ZIP copy of the worm for mailing.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A