Content

W32/Hobbit.c@MM

Type
Virus
SubType
E-mail worm
Discovery Date
10/04/2002
Length
61,440 bytes
Minimum DAT
4228 (10/09/2002)
Updated DAT
4412 (12/08/2004)
Minimum Engine
5.1.00
Description Added
10/09/2002
Description Modified
10/09/2002 5:33 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat is detected as New Worm or New Backdoor with the 4127-4227 dats when scanning compressed files with program heuristics enabled. Named detection went into the 4228 DATs.

Written in Visual Basic, this virus attempts to spread by mailing itself to email addresses extracted from the temporary internet files, and sharing itself using the KaZaa peer-to-peer file sharing network. The original source code has been released, leading to multiple compilations of this virus.

This worm arrives as in an email message containing the following information:

This is a fix and removal for the new internet worm known as BugBear. 1 in ever 4 computers in infected with this virus. When run, it will scan your computer and notify you if you're infected or not, then clean if infected Anti-Bug.exe

When the attachment is run, the worm copies itself to the %WinDir% directory as Shizzle.exe and Anti-Bug.exe. A registry run key is created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "WinSrv"=C:\WINDOWS\Shizzle.exe
The virus contains a payload to use PING to initiate a Denial of Service attack against www.dokfleed.net

Symptoms

The worm contains code to display a message box (this did not occur during testing):

kn0x 0wnz System Not Infected with Bugbear

The virus contains code to save copies of itself to the following directories if they exist (this also, did not occur during tested):
  • \PROGRAM FILES\KAZAA\MY SHARED FOLDER
  • \KAZAA\MY SHARED FOLDER
The following filenames are used
  • All GamesHack.exe
  • HotMailHack.exe
  • ICQ Password Hack.exe
  • Macromedia Flash MX.exe
  • Swat 3 Full Download.exe
  • Tacony.exe
  • Unreal Tournament 3 FullDownloader.exe
  • WarCraft III Full.exe
  • WIN XPCrack.exe
The virus has a payload to apply a system policy that hides the desktop.

Method of Infection

The worm gathers email addresses from the Outlook Address book, and "mailto" links contained in cached Internet web pages (*.html). The harvested addresses are stored in the file EMAIL.TXT in the current directory. The worm attempts to send itself to these addresses using MAPI messaging and its own SMTP engine, using the default SMTP server stored in the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
    Accounts\00000001\SMTP Server

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • Win32.Hobbit.G (CA)

Characteristics

Characteristics -

This threat is detected as New Worm or New Backdoor with the 4127-4227 dats when scanning compressed files with program heuristics enabled. Named detection went into the 4228 DATs.

Written in Visual Basic, this virus attempts to spread by mailing itself to email addresses extracted from the temporary internet files, and sharing itself using the KaZaa peer-to-peer file sharing network. The original source code has been released, leading to multiple compilations of this virus.

This worm arrives as in an email message containing the following information:

This is a fix and removal for the new internet worm known as BugBear. 1 in ever 4 computers in infected with this virus. When run, it will scan your computer and notify you if you're infected or not, then clean if infected Anti-Bug.exe

When the attachment is run, the worm copies itself to the %WinDir% directory as Shizzle.exe and Anti-Bug.exe. A registry run key is created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "WinSrv"=C:\WINDOWS\Shizzle.exe
The virus contains a payload to use PING to initiate a Denial of Service attack against www.dokfleed.net

Symptoms

Symptoms -

The worm contains code to display a message box (this did not occur during testing):

kn0x 0wnz System Not Infected with Bugbear

The virus contains code to save copies of itself to the following directories if they exist (this also, did not occur during tested):
  • \PROGRAM FILES\KAZAA\MY SHARED FOLDER
  • \KAZAA\MY SHARED FOLDER
The following filenames are used
  • All GamesHack.exe
  • HotMailHack.exe
  • ICQ Password Hack.exe
  • Macromedia Flash MX.exe
  • Swat 3 Full Download.exe
  • Tacony.exe
  • Unreal Tournament 3 FullDownloader.exe
  • WarCraft III Full.exe
  • WIN XPCrack.exe
The virus has a payload to apply a system policy that hides the desktop.

Method of Infection

Method of Infection -

The worm gathers email addresses from the Outlook Address book, and "mailto" links contained in cached Internet web pages (*.html). The harvested addresses are stored in the file EMAIL.TXT in the current directory. The worm attempts to send itself to these addresses using MAPI messaging and its own SMTP engine, using the default SMTP server stored in the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
    Accounts\00000001\SMTP Server

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A