Virus Protection > computer-virus-i-page1 > - i-worm.hadr

i-worm.hadr

Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.

Description: Details
I-Worm.Hadra

This is an Internet worm that spreads via e-mails being attached as an EXE file. The worm itself is a Win32 executable file about 12Kb in length, written in VisualBasic. The worm code is compressed with a UPX Win32 EXE files compression utility, and when unpacked, it becomes about 26Kb in size.
When the worm starts (when a user clicks on the attached EXE file), the worm copies itself to the Windows directory with the MSSERV.EXE name and registers that file in the Windows registry auto-run keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
All these "Run=" keys then have the string value that runs the worm copy upon each Windows start-up:
msservice = %WinDir%\msserv.exe
where %WinDir% is Windows main directory.
Spreading
The worm then stays in the Windows memory as a hidden application (service), connects to MS Outlook and registers itself as MS Outlook "NewMail" and "ItemSend" events handler (i.e., the worm attaches itself to MS Outlook events).
On "NewMail" (a new mail has arrived), the worm looks as if it is its own message from another infected machine, and then deletes it. The worm opens the message, looks for the EXE attachment and deletes that message if the EXE attachment has the same length as the worm's EXE file.
On "ItemSend" (a message is being sent), the worm looks for already attached files, gets the first one, replaces it with its own copy, renames the attachment to .EXE, and then sends it. If the message has no attachment, the worm attaches itself with eight bytes of a random name and .EXE extenstion.
On Friday 13th, from 13:00 till 14:00, the worm also adds a text to the beginning of the message body:
[I-Worm.Hydra] allby gl_st0rm of [mions]
Protection
The worm performs several actions to hide itself and to avoid removing its file and infected registry "Run=" keys. The worm deletes the MSCONFIG.EXE file in the Windows system directory, looks for active applications and kills them (terminates these processes):
"AVP Monitor"
"AntiVir"
"Vshwin"
"F-STOPW"
"F-Secure"
"vettray"
"InoculateIT"
"Norman Virus Control"
"navpw32"
"Norton AntiVirus"
"Iomon98"
"AVG"
"NOD32"
"Dr.Web"
"Amon"
"Trend PC-cillin"
"File Monitor"
"Registry Monitor"
"Registry Editor"
"Task Manager"
As a result, the worm disables several types of anti-virus protections, as well as immediately closes Registry editors upon their start-up.
The worm also kills Kaspersky Anti-Virus (former AVP) anti-virus databases.
Member of SETI Distributed Network
The worm installs and activates the SETI (Search for Extraterrestrial Intelligence) software on an infected computer (see more information about SETI at http://setiathome.berkeley.edu).
The SETI software is downloaded by the worm to the Windows directory with the MSSETI.EXE name from the following FTP sites:
ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
The worm also creates, in the Windows directory, the following files:
USER_INFO.SAH and VERSION.SAH with SETI specific information
MSSETI.PIF, RUN_MSSETI.VBS, MSSETI.BAT to run SETI program
and registers RUN_MSSETI.VBS file in Registry auto-run keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
msseti = WScript.exe %WinDir%\run_msseti.vbs"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
msseti = WScript.exe %WinDir%\run_msseti.vbs"
The USER_INFO.SAH file contains user specific information about SETI user, the worm writes following IDs to there:
id=2199938
key=1603033966
email_addr=gl_storm@seznam.cz
name=GL_STORM
country=Czech Republic

Updated: 02/24/2006
Copyright @2006 i-worm.hadr