Sophos Anti-Virus IDE alert: W32/Hiton-A

Type
Win32 worm

Description
W32/Hiton-A is a mass mailing worm that emails itself, using its own SMTP engine, to addresses harvested from address books and files on the hard disk.
When first run W32/Hiton-A displays the fake error message:

"Connection Error 66473:

Please check you Internet Connection or
Firewall. If the Error occurs again you
should Contact your ISP"

The worm copies itself to the Windows system folder as SVCHOST.EXE and creates the following files in the same folder:

MSSVC.DLL - a component of the worm
WSUCK32.DLL - a list of filenames
WSICK32.DLL - a file containing sent email addresses

W32/Hiton-A creates registry entries in the following locations to run itself every time the user logs on to the computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Command Processor\AutoRun
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Emails sent by the worm have the following characteristics chosen from the following lists:

Subject line:

TONA, you have to see this!
hey wuts up?
hey wuts up TONA?
Very funny
Useful
Happy Times
gift for you TONA
Attatchments
Hiiiiiii TONA
Hiiiiiii
Wait for more
elegant ppl should satisfy thier taste with elegant things
heyyy TONA
Heyyyyyyyy Lola Wussaaap??
Another one?
Hey Wussap?
Hey I thought you trusted me but ...
unknown
leaked
stolen
information for you, TONA
information
warning
something for you
read it immediately
Undeliverable mail --
Server Report
Status
Returned mail --
Mail Delivery System
La Transazione Della Posta
venuto a mancare
La Transaction De Courrier A
Mail Transaction Failed
s the document you requested
s the document
s a nice Picture
s the archive you requested
New Internal Rls...
Do not release, its the internal rls!
hola TONA
hello TONA
hi TONA
Ciao TONA
Darling

Message text:

i found this amazing file in my Recycled , i know u love this kind of things
cyaaa

Hummm , i hope u accept this show as an apology. save it for hard times
i will be waiting for u emaill to remind me of your self.

im fine , thanx for asking and thanx for the nice attachements. but
unfortunately, i don't remember you

you seem to be mad @ me coz i didnt send u anything for along time, i
didn't forget u , but i was kinda busy , i've got all of ur emails thanx
and i hope u accept this one as an apology.

ive got this surprise from a friend it really deserves a few minutes of
your time. Never mind !

i thing the subject is enough to describe the attached file ! check it out
and replay your opinion

heyyyy i tried many times to send u this email but ur account was out of
storage as i think any way , make sure that i didnt and i won't forget
u Cya Forgotten

Ive got your email , but you forgot to upload the attachments. Don't be
selfish , i sent you all the files i have, send me anything

i just wanted to say sorry for last night and .. i wish u accept this as an
apology bye dear I cant be online tonight anyway , i sent u something u r
gonna love cya tomorrow

i lost FRNAs Email plzz send this file to her and tell her i can't be
online tonight Bye

YO TONA , IM SICK OF UR EMAILS , IF U LOSE IT AGAIN I WONT GIVE IT TO U, SAVE
IT BYEEE

I forgot to tell u , the other file is with FRNA bye

Heyyyy TONAI lost the other email , anyway i sent u all u need i have just
got it , plz tell me if u need more.bye

Here is the FRNA Dont tell Sam abt it Cya

i havent ever thought i should send u my briefcase to gain ur Trust. Have
it all bye

HEY TONA, call FRNA a virus text stealer =)

Hi TONA its FRNA. I was shocked, when I found out that it wasnt you but
your twin brother, that's amazing, you're as like as two peas. No one in
bed is better than you TONA. I remember, I remember everything very well,
that promised you to tell how it was, I'll give you a call today after 9.
He took my skirt off, then my panties, then my bra, he sucked my t**s, with
the same fury you do it. He was writing alphabet on my ***** for 20 minutes,
then suddenly stopped, put me in doggy style position and stuck his dagger.
But TONA, why didn't you warn me that his dick is 15 inches long? I was
struck, we fucked whole night. I'm so thankful to you, for acquainted me to
your brother. I think we can do it on the next Saturday all three together?
What do you think? O yes, as you wanted I've made a few pictures check them
out in archive, I hope they will excite you, and you will dream of our new
meeting... Greetz FRNA

something is fool

something is going wrong

you are bad

you try to steal

you feel the same

you earn money

thats wrong

take it easy

do you?

thats funny

here, the cheats

here, the introduction

here, the serials

from the chatter

about me

information about you

something is going wrong!

stuff about you?

greetings

see you

here it is

that is bad

yes, really?

i found this document about you

your name is wrong

i hope it is not true!

kill the writer of this document!

something about you!

I have your password!

you are a bad writer

is that from you?

i wait for a reply!

is that your account?

is that your name?

is that true?

my hero

read it immediately!

here is the document.

read the details.

im waiting

what does it mean?

anything ok?

Have a look at the attatchment.

Heres the answer to all your questions.

Thats the document that you had requested.

Have a look the Pic attached !!

Real outtakes from Sex in the City!! Adult content!!! Use with parental
advisory =)

Send me your comments.

The Archive is attached...

I have a document attached, which should solve your problems.

See the attached file for details.

Mail transaction failed. Partial message is available.

The message cannot be represented in 7-bit ASCII encoding and has been
sent as a binary attachment.

The message contains Unicode characters and has been sent as a binary
attachment.

The message contains MIME-encoded graphics and has been sent as a binary
attachment.

Attached file (extension EXE, BAT, PIF, SCR or ZIP):

object, ranking, dinner, release, location, friend, website, nomoney, aboutyou,
shower, topseller, product, swimmingpool, concert, textfile, posting,
attachment, details, creditcard, message, document, party, disco, me

Note that the attached file may have a random name and a double extension (or both), for example <filename>.htm.exe

W32/Hiton-A changes the HOSTS file so that the several anti-virus software related internet domain names resolve to the local computer:

sophos.com
sophos.co.jp
kaspersky.com
symantec.com
trendmicro.co.jp

W32/Hiton-A terminates the following processes:

ZONEALARM.EXE
WINMX.EXE
XOLOX.EXE
SPHINX.EXE
OUTLOOK.EXE
OPERA.EXE
MSIMN.EXE
NETSCP6.EXE
NETSCAPE.EXE
IEXPLORE.EXE
KAZAA.EXE
ICQLITE.EXE
ICQ.EXE
EDONKEY.EXE
EMULE.EXE
AIM.EXE

http://www.sophos.com/virusinfo/analyses/w32hitona.html