Name: W32/Hunch-C
Type: Win32 worm
Date: 16 April 2002

At the time of writing Sophos has received no reports from users
affected by this worm. However, we have issued this advisory
following enquiries to our support department from customers.

Description:

W32/Hunch-C is an email worm which uses Microsoft Outlook to
spread. It arrives in an email with the body text:

Tal como te prometí; te envío mi foto en el archivo adjunto...

The subject and attachment name are dependent on the original
filename.

When the worm runs it copies itself to
C:\Windows\System\Thd16.exe,
C:\Windows\System\Msoffice.exe and
C:\Windows\System\<attachment filename>
and adds the registry value

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\THD16 =
C:\Windows\System\Thd16.exe

so the worm runs on startup.

The worm will delete up to five files which have one of the
following extensions:
XLS
DOC
WAV
DWG
MP3
BAK
CDX
BMP
HTM
HLP
CHM
JPG
CDR
MDB
DBF
ICO.
The worm records the names of the files it deletes in
C:\Windows\System\ListWin.txt

Finally the worm displays a pornographic image.


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32hunchc.html