Your essential free software toolbox

SHARE
THIS ON

Win32.Holar.I@mm

MEDIUM

LOW

variable

(I-Worm.Hawawi.f (Kaspersky))

Symptoms

- the registry entry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explore] which points to the file %SYSTEM%\explore.exe

-the registry entry:
[HKCU\DeathTime] - which is added for checking the payload time

- the registry entry:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page] which points to the website http://www.geocities.com/yori_mrakkadi

• the files explore.exe and smtp.ocx in the Windows System folder;
• copies of the worm (with names listed in the next section), also in the Windows System folder;

Removal instructions:

BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.
1. If you don't have BitDefender installed click here to download an evaluation version;
2. Make sure that you have the latest updates using BitDefender Live!;
3. Make the following changes in the windows registry:

Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
a. Select Run... from Start, then type regedit and press Enter;
b. Delete the following keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\run\Explore]
[HKCU\DeathTime]

4. You may also run the command:

regsvr32 /u smtp.ocx

and delete the file smtp.ocx.
5. Reboot the system
6. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Holar.I@mm.

Analyzed By

Bogdan Dragu BitDefender Virus Researcher

Technical Description:

The virus was written in Visual Basic and compressed with UPX.

When run, it will copy itself and will drop its embedded components: smtp.ocx (an SMTP ActiveX control used to send email messages; this component is registered using regsvr32) and the executable explore.exe.

The registry entry

[HKLM\Software\Microsoft\Windows\CurrentVersion\run\Explore]

is created to run the worm at every start-up. The executable's read-only, hidden and system file attributes are set.

The worm searches the Microsoft WAB file and user files ending in .TXT, .HTML, .HTM, .EML for e-mail addresses and sends itself.
The worm arrives in mail messages like the following:
Fw:
Re:
Check this out ;)
Enjoy!
This is all i can send
Have Fun :)
You gonna love it
Here is what u wanted
:)
Wait for more :)
looool
Take a look
Never mind !
Attatchments
See the attatched file
gift :)
Surprise!
save it for hard times
Happy Times :)
Useful
Very funny
Try it
you have to see this!
emazing!

The worm stores a counter of the number of times it has been run in the registry key HKCU\DeathTime. When the counter reaches 30, the payload will be executed (a message in red on a black background).
"! have noth!na say bam st!ll ZaCker !"