i-worm.halla
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Hallad
This is a virus-worm that spreads via the Internet attached to infected e-mails. It sends itself through IRC channels. It also causes payload actions.
The worm itself is a Windows PE EXE file about 80 Kb in length, and is written in Visual Basic 6.
The infected messages appear as follows:
Subject: %Name of the sender% + " is a millionaire"
Attachment: LucKey.exe
Body: " Hi" + %Name of the grantee% + "Your Friend " + %Name of the sender%
+ " invites you to be a millionaire" + %Name of the grantee% + "and says : "
+ %Name of the grantee% + "Wow..its really cool Test your lock ;)"
+ %Name of the grantee%
+ " just keep this advertisements pro run and you will get 0.25 $ every 30 minutes"
+ %Name of the grantee% + " + " Wo-finance Team"
The worm is activates from an infected e-mail only when a user clicks on the attached file.
Installing
While installing, the worm copies itself to the Windows system directory with the name LUCKEY.EXE and to the Windows System directory with the name DALLAH.EXE. Than it displays a dialogue window Project1 with the following text:
Run time error '71'
Object required
[ OK ]
Spreading via E-mail
To send infected messages, the worm uses MS Outlook, and sends messages to all addresses found in Outlook address book.
Spreading via IRC channels
The worm searches in subdirectories of the current disk for the file MIRC.INI, and overwrites it with new script that sends this EXE file to each user, who joins the infected channel.
Payload actions
The worm creates many files with the following names in the current directory:
Sharoon ****.exe
Bush ****.exe
ZA-Union ****.exe
BinLadin ****.exe
Where ***** is a number from 1 to 9999.
The worm also tries to remove the following folders on the disk with Windows.
\Program Files\AntiViral Toolkit Pro
\Program Files\Command Software\F-PROT95
\eSafe\Protect
\PC-Cillin 95
\PC-Cillin 97
\Program Files\Quick Heal
\Program Files\FWIN32
\Program Files\FindVirus
\Toolkit\FindVirus
\f-macro
\Program Files\McAfee\VirusScan95
\Program Files\Norton AntiVirus
\TBAVW95
\VS95
\rescue
\Program Files\Zone Labs
The worm creates and runs the script file: FLOPY.VBS. This scrip copies a worm dropper to the diskette with the name: MALAL.EXE. Also, it creates companions to all files on a floppy drive with double extensions. It adds the extension ".EXE" to the original filenames.
Copyright @2006 i-worm.halla