i-worm.hunch.
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
I-Worm.Hunch.a
This is a virus-worm that spreads via the Internet attached to infected e-mail. The worm itself is a Windows PE EXE file about 151 Kb in length, and it is written in Visual Basic.
Infected messages appear as follows:
Subject: COSTO
Body: Mensaje importante para %Recipient% en el archivo adjuntoall
(%Recipient% is the full name of the recipient.
Attachment: PE EXE file with a random name.
Installing
When the worm is launched, it creates a window containing a picture,
and installs into the system. When installing into the system, the worm copies itself to three files in the Windows system directory: one with the original name of the file, from which the worm has been launched and the following names:
%SYSTEM%\THWIN.EXE
%SYSTEM%\MSWORD.EXE
Then, the worm writes the following registry keys to start automatically with Windows:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices THWIN=%SYSTEM%\THWIN.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run THWIN=%SYSTEM%\THWIN.EXE
The worm also tries to copy itself to the A: drive with the "UNSCH.JPG.EXE" name.
Replication: e-mail
The worm uses Microsoft Outlook to send infected messages. The worm extracts e-mail addresses from the MS Outlook Address Book and sends itself to these addresses.
Payload
Depending on the worm's internal counters, the worm writes disk a C: formatting command to the C:\Autoexec.bat file.
Copyright @2006 i-worm.hunch.