W32/Higuy-A ; Aliases: I-Worm.Tettona

Discussion in 'malware problems & news' started by FanJ, Jun 14, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Higuy-A
    Aliases: I-Worm.Tettona
    Type: Win32 worm
    Date: 14 June 2002


    At the time of writing Sophos has received just one report of
    this worm from the wild.

    Description:

    W32/Higuy-A is an internet worm with backdoor capabilities. It
    spreads via email by sending itself to addresses found in the
    Windows address book.

    The email will have the following characteristics:
    English version:
    Subject: Incredible..
    Message text:
    Hello,
    see this interesting file.
    Bye.

    Italian version:
    Subject:
    "Qualsiasi cosa fai,falla al meglio." or
    "Urgente! (vedi allegato)" or
    "Incredibile.."

    Message text:
    line 1: Ciao,
    line 2:
    "okkio all'allegato ;-)" or
    "apri subito l'allegato,e' molto interessante." or
    "devi assolutamente vedere il file che ti ho allegato."
    line 3: A presto...

    Attached file: tattoo.exe, euro.exe or tettona.exe.

    When run for the first time the worm displays the fake error
    message:
    "VBRUN49.DLL not found! Unable to execute.". Then it copies
    itself into the Windows folder as dllmgr32.exe. It sets the
    following registry entry so that it will be automatically run
    when Windows starts up.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManager =
    \dllmgr32.exe


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32higuya.html
     
Loading...
Thread Status:
Not open for further replies.