Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Hiton.A@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Block access to antivirus vendors websites.
Detection files published 01 Mar 2004 03:00:00
Description created 04 Mar 2004 04:05:00
Description updated 04 Mar 2004 08:05:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Hiton.A@mm

Spreading

On startup, the worm will copy itself to %WINDIR%svchost.exe and %SYSTEM%mssvc.dll. It will also create the following registry values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunService Host Driver = “%WINDIR%\svchost.exe"

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\
Autorun = ““%WINDIR%\svchost.exe"
HKEY_CLASSES_ROOT\CLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
InProcServer32Default = “%SYSTEM%\mssvc.dll"
The first value ensures that the worm is started with Windows, the second will attempt to execute the worm each time a command prompt is opened and the third causes explorer will execute the worm when it starts.
The worm will then search various folders for .htm, .tbb, .wab, .mht, .hlp, .dbx, .txt and .eml files, and extract any e-mail addresses it finds which it stores in %SYSTEM%wsick.dll. A subject, body and attachment name is then selected from the following lists.
Subject "Darling" "Ciao" "Ciao TONA" "Error" "hi" "hi TONA" "hello" "hello TONA" "hola" "hola TONA" "Do not release, its the internal rls!" "New Internal Rls..." "here’s the archive you requested" "Here’s a nice Picture" "Pr0n!" "here’s the document" "here’s the document you requested" "Mail Transaction Failed" “La Transaction De Courrier A ÚchouÚ" "La Transazione Della Posta + venuto a m"... "Mail Delivery System" "Returned mail --" "Status" "Server Report" "Undeliverable mail --" "read it immediately" "something for you" "warning" "information" "information for you, TONA" "stolen" "leaked" "fake" "unknown" "Hey I thought you trusted me but ..." "Hey Wussap?" "Another one?" "Heyyyyyyyy Lola Wussaaap??" "heyyy" "heyyy TONA" "elegant ppl should satisfy thier taste "... "Wait for more :)" "Hiiiiiii" "Hiiiiiii TONA" "Attatchments" "gift for you TONA :)" "Happy Times :)" "Useful" "Very funny" "hey wuts up TONA?" "hey wuts up?" "TONA, you have to see this!" Body “i found this amazing file in my Recycled , i know u love this kind of things ;)ONCRcyaaa" “Hummm , i hope u accept this show as an apology.ONCRsave it for hard times" “i will be waiting for u emaill to remind me of your self." “I’m fine , thanx for asking :) ONCRand thanx for the nice attachements.ONCRbut unfortunately, i don’t remember you" “you seem to be mad @ me coz i didn’t send u anything for along time,ONCRi didn’t forget u , but i was kinda busy , i’’ve got all of ur emailsONCRthanx :) and i hope u accept this one as an apology" “I’ve got this surprise from a friend :)ONCRit really deserves a few minutes of your time.ONCRNever mind !" “i thing the subject is enough to describe the attached file" “heyyyy i tried many times to send u this email but ur account was out of storage as i thinkONCRany way , make sure that i didn’t and i won’t forget u :)ONCRCya Forgotte’n :P" “I’ve got your email , but you forgot to upload the attachments.ONCRDon’t be selfish , i sent you all the files i have, send me anything :(“ “i just wanted to say sorry for last nightONCRand .. i wish u accept this as an apologyONCRbye dear" “I can’t be online tonight :(anyway , i sent u something u r gonna love ;)ONCRcya tomorrow" “i lost FRNA’s Email plzz send this file to her :)ONCRand tell her i can’t be online tonightONCRBye" “YO TONA , IM SICK OF UR EMAILS , IF U LOSE IT AGAIN I WONT GIVE IT TO U, SAVE ITONCRBYEEE" “I forgot to tell u , the other file is with FRNA:) bye" “Heyyyy TONAI lost the other email , anyway i sent u all u needONCRi have just got it , plz tell me if u need more.bye" “Here is the FRNA ;) Dont tell Sam abt itONCRCya" “Hi TONA its FRNA.ONCRONCRI was shocked, when I found out that it wasn’t you but your twin brother,ONCRthat’s amazing, you’re as like as two peas. No one in bed is better thanONCRyou TONA. I remember, I remember everything very well, that promised youONCRto tell how it was, I’ll give you a call today after 9. He took my skirtONCRoff, then my panties, then my bra, he sucked my t**s, with the same furyONCRyou do it. He was writing alphabet on my pussy for 20 minutes, thenONCRsuddenly stopped, put me in doggy style position and stuck his dagger.ONCRBut TONA, why didn’t you warn me that his dick is 15 inches long? I wasONCRstruck, we fucked whole night. I’m so thankful to you, for acquainted meONCRto your brother. I think we can do it on the next Saturday all threeONCRtogether? What do you think? O yes, as you wanted I’ve made a few picturesONCRcheck them out in archive, I hope they will excite you, and you will dreamONCRof our new meeting...ONCRONCRGreetz FRNA" “HEY TONA, call FRNA a virus text stealer =)" Attachments "body" "mail" "msg" "doc" “talk" "message" "creditcard" "details" "attachment" “me" "stuff" "posting" "textfile" "concert" "information" "note" "bill" "swimmingpool" "product" "topseller" "ps" "shower" "aboutyou" "nomoney" "found" “story" "mails" "website" "friend" "jokes" "location" "final" "release" "dinner" "ranking" "object" "mail2" "part2" "disco" "party" "misc The extension can be either .exe, .pif, .bat, .zip or .scr.
Hiton will then send the mail to all the addresses stored in %SYSTEM%wsick.dll.

Payload Details

Hiton.A will append entries to the %SYSTEM%driversetchosts file which attempt to block access to antivirus vendors websites.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15