W32/Hunch-C

Discussion in 'malware problems & news' started by FanJ, Apr 16, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Hunch-C
    Type: Win32 worm
    Date: 16 April 2002

    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Description:

    W32/Hunch-C is an email worm which uses Microsoft Outlook to
    spread. It arrives in an email with the body text:

    Tal como te prometí; te envío mi foto en el archivo adjunto...

    The subject and attachment name are dependent on the original
    filename.

    When the worm runs it copies itself to
    C:\Windows\System\Thd16.exe,
    C:\Windows\System\Msoffice.exe and
    C:\Windows\System\<attachment filename>
    and adds the registry value

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\THD16 =
    C:\Windows\System\Thd16.exe

    so the worm runs on startup.

    The worm will delete up to five files which have one of the
    following extensions:
    XLS
    DOC
    WAV
    DWG
    MP3
    BAK
    CDX
    BMP
    HTM
    HLP
    CHM
    JPG
    CDR
    MDB
    DBF
    ICO.
    The worm records the names of the files it deletes in
    C:\Windows\System\ListWin.txt

    Finally the worm displays a pornographic image.


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32hunchc.html
     
Loading...
Thread Status:
Not open for further replies.