WORM_HORSMAN.A

WORM_HORSMAN.A typically arrives via email and IRC. It affects systems running Windows 95, 98, NT, ME, 2000, and XP. Upon execution, it copies itself as one the following files:

• 
  %Temp%\SProcess.exe
  %Temp%\Great_Virus_Creation_Kit.exe
  %Temp%\Win_Security_Patch_2602.exe

To enable its automatic execution at system startup and gain memory-residency, the worm overwrites the system file EXPLORER.EXE, which is found in the Windows folder, and then saves the original system file as follows:

• 
  %Windows%\System\Explorer.exe

When overwriting EXPLORER.EXE, it avoids generating a sharing access violation, by first terminating the Explorer process. It then overwrites the system file with a copy of itself and restarts the Explorer program.

On systems running Windows 95 and 98, the worm utilizes the RegisterServiceProcess API function call to make itself invisible in the Close Dialog box whenever CTRL+ALT+DEL is pressed. This routine prevents the user from easily terminating the malware from memory.

To propagate via email, this worm drops a file named LOGDATA.VBS in the Windows temporary folder. This worm utilizes the VBS file to send itself via email and uses WSCRIPT.EXE to execute it.

The email that it sends contains the following:

Subject: Very important patch!

Message Body:
Hi. Here I’ve attached a very important patch, very useful to find and fix a lot of bugs in windows and improve the security of your windows.

If installed, this patch it’s able to prevent virus infections or other dangerous things.

I hope that this will be useful! Bye!

Attachment: One of the following:
SProcess.exe
Great_Virus_Creation_Kit.exe
Win_Security_Patch_2602.exe

It looks for target email addresses in files found in directories located in the system PATH variable, including their subfolders. It searches for files with the following extensions as potential target addresses:

• 
  HTM
  HTML
  HTT
  ASP
  DBX

After mass-mailing, the worm deletes the copy of the sent message.

To propagate via mIRC, the worm overwrites the mIRC initialization file, SCRIPT.INI, with commands to send a copy of the worm to all users who are in the same IRC channel as the infected user.

When a new user joins the infected IRC channel, it sends the following message along with the worm copy:

Hi! Check out this program, It’s very powerful!

The target recipient must accept the file and execute it in order to be infected.

Upon execution, this worm attempts to disable antivirus and security protection on the infected system, by terminating programs that contain the following strings:

• Avp
• Kav
• Nav
• Scan
• Anti
• Alert
• Mon
• Check

These strings are generally associated with antivirus and firewall programs.

If you would like to scan your computer for WORM_HORSMAN.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_HORSMAN.A is detected and cleaned by Trend Micro pattern file #505 and above.