Discussion in 'malware problems & news' started by FanJ, Sep 24, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Higuy-A
    Aliases: I-Worm.Tettona, W32/Higuy@MM, WORM_HIGUY.A
    Type: Win32 worm
    Date: 24 September 2002

    Sophos has received several reports of this worm from the wild.

    Note: Sophos Anti-Virus has been detecting W32/Higuy-A since
    17.50 GMT on 14 June, but has issued this new IDE to add
    detection of a working corrupted version.

    W32/Higuy-A is an internet worm with backdoor capabilities. It spreads via email by sending itself to addresses found in the Windows address book.

    The email has the following characteristics:

    English version:
    Subject: Incredible..
    Message text:
    see this interesting file.

    Italian version:
    "Qualsiasi cosa fai,falla al meglio." or
    "Urgente! (vedi allegato)" or
    Message text:
    line 1: Ciao,
    line 2:
    "okkio all'allegato ;-)" or
    "apri subito l'allegato,e' molto interessante." or
    "devi assolutamente vedere il file che ti ho allegato."
    line 3: A presto...

    Attached file: tattoo.exe, euro.exe or tettona.exe.

    When run for the first time the worm displays the fake error message:
    "VBRUN49.DLL not found! Unable to execute.". Then it copies itself into the Windows folder as dllmgr32.exe. It sets the following registry entry so that it is automatically run when Windows starts up.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManager =
    <Windows folder>\dllmgr32.exe

    More information about W32/Higuy-A can be found at
Thread Status:
Not open for further replies.