Alias:I-Worm.Hawawi.a, W32/Holar, W95/Holar.D, W32.Hawawi.Worm
Type:Worm 
Size:54,784 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreading by email, MSN Messenger and shared networks. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm is spreading by email, MSN Messenger and shared networks.
The worm sends an email with the following structure:
The subject is chosen from "MyDocuments" folder of the infected system.
The 54,784 Bytes attachment has the same file name as the subject and its extension is .pif.

Technical DetailsWhen the attachment is opened, the worm is copied in Windows system directory and makes the registry autostart entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices\ZaCker

The webserver component is saved as "CmdServ.exe" in system directory.
The following registry entry is made:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServices\MyLife=C:\%WinDIR%\%SystemDIR%\CmdServ.exe
The webserver creates INDEX.HTM file in system directory. This .htm file contains an IFrame, reffering to the following file:
"C:\%WinDIR%\%SystemDIR%\WarIII.eml"
The worm uses the webserver together with its MSN Messenger component, for connecting the users from MSN contacts list with the infected system.

The worm also makes the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\HolyWar HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\HolyWar
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .