Small-News has Move on a News Hosting, all News have Been Moved, Please Click Small-news to Visit Our New Website

This worm arrives on a system as an attachment to a spammed email message. The said email message contains a password-protected .ZIP file which contains this worm, as well as a binary file with a DLL extension.

Upon execution, it drops the following files in the HIDN folder, which it creates in the %Application Data% folder:

* HIDN2.EXE - copy of itself
* HLDRRR.EXE - copy of itself
* M_HOOK.SYS - detected as TROJ_ROOTSERV.A

(Note: %Application Data% is the current user’s Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

It creates the following registry entry to ensure its automatic execution at every Windows startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
drv_st_key = “%Application Data%\hidn\hidn2.exe”

It also creates the following registry key and entry as part of its installation routine:

HKEY_CURRENT_USER\SOFTWARE\FirstRuxzx
FirstRu21n = “dword:00000001″

Propagation via Email

This worm propagates by sending

copies of itself as an attachment to email messages that it sends to target IP addresses using its own Simple Mail Transfer Protocol (SMTP) engine. Through the said SMTP engine, it is able to easily send email messages even without using other mailing applications, such as Microsoft Outlook.

Below is a sample of the email message that it sends out:

Subject: (any of the following)

• price_new{current date}
• price_{current date}
• price

Message body: (any of the following)

• It Is Protected
• thank you !!!
• New year’s discounts

Attachment: (any of the following)

• new_price{date today}.zip
• price_list{date today}.zip
• latest_price{date today}.zip

The .ZIP file contains a non-malicious randomly-named .DLL file and a malicious .EXE file. The said .ZIP file is password-protected. Hence, the malicious .EXE file is not detected until extracted by the recipient.

Source

Technorati Tags: , ,



Comments | Related Post | Search The Web | Nettingnews | SmallNews(wp) |

Subscribe

Share This | Add to Netvibes | Subscribe with Bloglines | Subscribe to Small News:Get all the News In Small on your cell phone | Small News Feed

Post

« Psiphon Download
Liverpool negotiations with state-owned Dubai International Capital (DIC) »

Blog

Read more News @ SmallNews Blog (Wordpress.com) and NettingNews and

Google Search

Possibly Related Post

  • No related posts

    • SmallNews @ Newsvine