Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Higuy.A

Aliases: I-Worm.Tettona.A, Win32.HLLM.Tettona, Panda W32/Orue, Win32/Frantes.A

Win32/Higuy.A is a worm spreading by means of an email file attachment.  It is written in Microsoft Visual C++ and is compressed. Its compressed size is 34 761 bytes but it increases to 94208 bytes after decompression.  The worm spreads in the environment of the operating systems Microsoft Windows.
The worm arrives as a file in an attachment of an email message.  It selects the message subject and body as well as the name of the file in the attachment from the pre-defined list.  The message subject may be one of the following texts:

Subject: Incredibile..
Subject: Urgente! (vedi allegato)
Subject: Qualsiasi cosa fai,falla al meglio.
Subject: Incredible..

The message body is selected from the following options:

Hello,
see this interesting file.
Bye.

Ciao,
okkio all'allegato ;-)
A presto...

Ciao,
devi assolutamente vedere il file che ti ho allegato.
A presto...
Ciao,
apri subito l'allegato,e' molto interessante.
A presto...

When it is run the worm displays a fake erroneous message:

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which Windows operating system is installed. Naturally, this can be different with any single installation

Then the worm copies itself into the directory %windir% as the file dllmgr32.exe.  It ensures its reactivation after the system restart by creating the item DllManager in the system registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.  The worm sets the value of the item so that the file dllmgr32.exe was started after the operating system restart.  After that the worm finds out, from the system registry, the name of the file which contains the Windows address book.  It sends its copy to all contacts found there.  The name of file in the attachment will be one of the following: tettona.exe, euro.exe or tattoo.exe.
There is also the following text in the worm body:

Ciao,
il tuo computer R infettato dal virus Fralý.
Certo che devi essere proprio un pirlone,
per esserti fatto fregare dal mio stupidissimo worm.
Va bR,vÓ,non ti preoccupare,oggi non sono in vena di cattiverie,
ed R anche un giorno festivo per me.

Buona giornata..
by 4nt4R35

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.