Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Cerohar

Overview

Threat Risk LOW LOW
Destructivity Unknown UNKNOWN
Payload
Detection files published
Description created 19 Mar 2010 08:06:00
Description updated 19 Mar 2010 08:06:00
Malware type WORM
Alias Worm.Win32.AutoRun(Kaspersky)
W32.Silly (Symantec)
Worm: Win32/Cerohar(Microsoft)
Heuristic.LooksLike.Worm.Autorun (McAfee GW Edition)
Spreading mechanism EMAIL
NETWORK
Summary

W32/Cerohar

Spreading

Vector worms prefer to propagate via network shares or USB drives, or they are downloaded by another trojan. They also propagate via email attachments and even instant messaging. Typical worm functionality is to drop an autorun.ini that increases the velocity of spreading through manual intervention.
After execution the malware drops an executable named HardCore, or a file with the extension .txt. It also creates registry entries. If a mutex or a process called HardCore is found, it’s a clear evidence that the machine is infected by this worm.

Payload Details

n/a

Analysis

[ DetectionInfo ] * Filename: C:\Documents and Settings\19b9914a440d9c74100873698a. * Sandbox name: . * Signature name: NOT_SCANNED. * Compressed: NO. * TLS hooks: YES. * Executable type: Application. * Executable file structure: OK. * Filetype: PE_I386. [ General information ] * File length: 98816 bytes. * MD5 hash: 19b9914a440d9c7efc1014100873698a. [ Changes to filesystem ] * Creates file C:\TEMP\War Rock.lnk. * Creates file C:\Progra~1\owned.txt. or * Creates file \Hardcore.exe. or * Creates file C:\Progra~1\hackhound.txt. or * Creates file C:\Progra~1\TR_bot_de.txt. or * Creates file C:\Progra~1\fullLogs.txt. [ Changes to registry ] [ Process/window information ] * Creates a mutex HardCore. * Attemps to open C:\TEMP\War Rock.lnk NULL. * Creates a COM object with CLSID {3C374A40-BAE4-11CF-BF7D-00AA006946EE} : Microsoft Url History Service. * Query interface {AFA0DC11-C313-11D0-831A-00C04FD5AE38}. or * Attemps to Open \Hardcore.exe NULL. * Creates process "\Hardcore.exe". * Creates a mutex HardCore. or * Creates a mutex HardCore. * Enumerates running processes. * Creates a COM object with CLSID {3C374A40-BAE4-11CF-BF7D-00AA006946EE} : Microsoft Url History Service. * Query interface {AFA0DC11-C313-11D0-831A-00C04FD5AE38}.  

Removal

n/a


Last Updated: 12 Nov 2015 11:06:10