Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Holar.h

Win32/holar.h is a mass mailing worm. Eset has received the first reports on the spread of this worm at around 12AM PST. The worm carries rather malicious payload - under certain conditions it deletes all files on the C drive and shuts down the system. After the worm (contained in the infected e-mail attachment) is executed it drops the following files:

explore.exe - the main component, and
smtp.ocx - the COM component, necessary to mediate communication via SMTP,

into the "system" directory.
It also creates a number of its copies which are used to spread via Kazaa.

To provide activation, the worm registers its main component (explore.exe) into the Run key as follows:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\run\Explore"

and searches the files with the following extensions to find new adresseess of the infected e-mails:

.htm
.html
.txt
.dbx

The e-mail Subject field is selected from unusually large set of optional subjects (see below). The email body is also very diverse. Examples of the e-mails are listed below:
(Note: the first line represents the e-mail subject)

"'''*< Love Speaks it all >*'''"
"Hii"
"Try this great program allowing u to translate 100 languages . " "just write a passage in english and chose a language to get the traslation " "one of my friends used it with his arabian gf and it worked successfully ;)" "so , Now we can say ' Love Speaks it All ' :) "

or:

"Co0o0o0o0oL"
"i thing the subject is enough to describe the attached file !" "check it out and replay your opinion" "Cya"

or:

"Fw:"
"You're gonna love it ;)"
"delete it after reading , Professor :P"

or:

"Heeeeeeeeeeeeeeeey"
"i've got this surprise from a friend :)"
"it really deserves a few minutes of your time."
"Bye"

or:

"Wussaaaaaaaap?"
"Should i email u first to email me? "
"u don't know how much ur emails mean to me."
"i wish u like this email and plzz don't forget me :)"

or:

"WoW But not for NoW"
"coz i couldn't get the other part of it ,"
"any way , check it out "
"having alil thing is better than nothing :P"

or:

"y0 Ain't Got Shyt !"
"All u can get is burning ur self "
"Coz all we can do is to watch, nothing for us to touch :("

or:

"Why Do We FOk?"
"let me answer ,,,"
"hummmmmmmmm"
"Coz we Burn Our selves by watching ********** like the one i attached :P"

or:

"Hi"
"i'v got it from a group called "
"it really fits us , check it out carefully :)"
"bye"

or:

"Q <--- what does it look likt?"
"Hummm , It looks like something men can't live without"
"ha? did u get it?"
"if not , enjoy ur Eyes by Seeing it ;) this one is deferent!"

or:

"Hiiiii"
"you seem to be mad @ me coz i didn't send u anything for along time," "i didn't forget u , but i was busy , i've got all of ur emails" "thanx :) and i hope u accept this one as an apology."

or:

"Heeelllooo , anybody home????"
"i tried many times to send u this email but ur account was out of storage as i think" "any way , make sure that i didn't and i won't forget u :)" "Cya Forgotten :P"

or:

"Why did u send me this shyt?"
"THANX BUT I DON'T ACCEPT SEX MATERIALS FROM STRANGERS."
"I SAW THEM N I WONDERED HOW U COULD DO SO ?"
"I REATTACHED THE SHYT U SENT "
"PLEASE DON'T EMAIL ME , "

or:

"Re:Hi"
"No thanx , keep it for you :)"
"Bye"

or:

"Helloooooooo"
"I've got your email , but you forgot to upload the attachments." "Don't be selfish , i sent you all the files i have, send me anything :(" "If u are booooored ..." "i found it in my Recycled , i know u love this kind of thing ;)" "attachment :) bye"
even e-mails masquerading as important notifications sent from an av vendor:

"Dispatch@McAfee.com" (From)
"Virus Alert !" (Subject)
"Dear User,
McAfee.com Has recieved an infected message from you .We believe that you are infected with Win32/HaWawi@MM Virus. Please download the attached tool (ToolAv01w32) which will help you to clean your PC. For more information :

*Create an email addressed to virus_research@nai.com."

and many others.
The worm appears to seek (randomly) between the 20th and 25th of each month files with the following extension: "*.jpg" "*.doc" "*.pps" "*.ram" "*.zip" (with certain probability).
Disguised by the names of these files, it copies itself into the "system" directory (using the .pif extension) and uses these files to spread via kazaa peer to peer network:

"Hot_Show"
"Short_vClip"
"Beauty_VS_Your_FaCe"
"Endless_life"
"Hearts_translator"
"Shakiraz_Big_ass"
"Sweet_but_smilly"
"Broke_ass"
"Lo0o0o0o0oL"
"Gurls_Secrets"
"Tedious_SeX"
"Leaders_Scandals"
"HaWawi_N_Hawaii"
"Come_2_Cum"
"Tears_of_Happiness"
"White_AmeRica"
"Famous_PpL_N_Bad_Setuations"
"XxX_Mpegs_Downloader"
"Teenz_Raper"
"Real_Magic"
"The_Truth_of_Love"
"unfaithful_Gurls"
"How_to_improve_ur_love"
"AniMaL_N_Burning_Ladies"
"Aint_it_Funny"
"ToolAv01w32"

Malicious Payload:

The value of the registry key: "HKEY_CURRENT_USER\DeathTime" is initialized to value "1" (initially to "0", incremented to "1"). The value of this key is incremented by one after each execution (restart, in general), until it reaches the value of 30. This value triggers the malicious payload - deletion of all the files (*.*) on the C: drive (including all the subdirectories).

The message-boxes with the following texts are displayed during the deletion process:

" LOVE"
" PEACE"
" HOME"
" HAPPINESS"
""
"These things Can't be Found as long as Bush & Jews Are aLive :)"
"Made By ZaCker In 2003-03-30 :)"

Finally, the malicious code shuts down the system using the following command:

"RunDll32.exe Shell32.dll,SHExitWindowsEx 0x01"

The faked "From:" addreses is acquired from the following registry keys:

"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache"
"HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Default Mail Account"
"HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\SMTP Email Address"
"HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Default Mail Account"
"HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\SMTP Email Address"
"HKEY_CURRENT_USER\Software\Yahoo\Pager\Yahoo! User ID" "@yahoo.com"

The worm appears to attack the following website (and triggers the indicated actions):

"http://www.whitehouse.org"
"C:\"
"\"
"SubFolders"
"Files"
"GetNetworkParams"
"iphlpapi.dll"
","
"System\CurrentControlSet\Services\VxD\MSTCP"
"NameServer"
"Domain"
"SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
"DhcpNameServer"
"DHCPDomain" "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces"
"\"
" "
"."
"No DNS entries found, MX Query cannot contine."
"MXQuery"
"No Valid Domain Specified"
"Problem sending MX query"
"Problem receiving MX query"
"HKEY_CLASSES_ROOT"
"HKEY_CURRENT_USER"
"HKEY_LOCAL_MACHINE"
"HKEY_USERS"
"HKEY_PERFORMANCE_DATA"
"HKEY_CURRENT_CONFIG"
"HKEY_DYN_DATA"
"\"

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.