W32/Higuy-A

Name: W32/Higuy-A
Aliases: I-Worm.Tettona, W32/Higuy@MM, WORM_HIGUY.A
Type: Win32 worm
Date: 24 September 2002


Sophos has received several reports of this worm from the wild.

Note: Sophos Anti-Virus has been detecting W32/Higuy-A since
17.50 GMT on 14 June, but has issued this new IDE to add
detection of a working corrupted version.

Description
W32/Higuy-A is an internet worm with backdoor capabilities. It spreads via email by sending itself to addresses found in the Windows address book.

The email has the following characteristics:

English version:
Subject: Incredible..
Message text:
Hello,
see this interesting file.
Bye.

Italian version:
Subject:
"Qualsiasi cosa fai,falla al meglio." or
"Urgente! (vedi allegato)" or
"Incredibile.."
Message text:
line 1: Ciao,
line 2:
"okkio all'allegato ;-)" or
"apri subito l'allegato,e' molto interessante." or
"devi assolutamente vedere il file che ti ho allegato."
line 3: A presto...

Attached file: tattoo.exe, euro.exe or tettona.exe.

When run for the first time the worm displays the fake error message:
"VBRUN49.DLL not found! Unable to execute.". Then it copies itself into the Windows folder as dllmgr32.exe. It sets the following registry entry so that it is automatically run when Windows starts up.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DllManager =
<Windows folder>\dllmgr32.exe


More information about W32/Higuy-A can be found at
http://www.sophos.com/virusinfo/analyses/w32higuya.html