My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Hakaglan.B

MEDIUM
LOW
variable
(Worm.Win32.AutoRun.fwl, W32/Sohanad.D, Worm:Win32/Nuquel.Y)

Symptoms

- presence of %windir%\SCVHOST.exe with folder icon
- presence of %windir%\system32\SCVHOST.exe with folder icon
- presence of the registry mentioned below
- computer slows down
- task manager disabled
- registry tools disabled
- folder options disabled

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

George Cabau, virus researcher

Technical Description:

This worm have a folder icon and perform the following action upon execution:
- make a copy of itself inside %windir% folder, as “SCVHOST.exe
- make a copy of itself inside %windir%\system32 folder, as “SCVHOST.exe
- register itself at startup in many places, by adding the registry values:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run : “Yahoo Messsenger” -> “c:\Windows\System32\SCVHOST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell  -> “SCVHOST.exe”.
- disables the task manager, registry tools and folder options by settings next registry keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System:
"DisableTaskMgr" ->"1";
"DisableRegistryTools" ->"1";
 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer:
"NofolderOptions" ->"1";
- creates a schedule, using windows AT command schedule, for runnig “%windir%\System32\SCVHOST.exe”(a copy of malware)  every day at 09:00AM. It also removes the limit on how long scheduled tasks are active by setting the key HKLM\SYSTEM\CurrentControlSet\Services\Schedule:
"AtTaskMaxHours"->"0".  
- disables Internet Explorer to start in offline mode by setting the registry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings:
 "GlobalUserOffline"-> "0"
- creates the following registry entry so that its copy is shared HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares: "shared"->"\New folder.exe".  If it finds any shared drivers, it copy itself on the under name “New folder.exe.”

- it spread itself via shared drives, removable drives and yahoo messenger.