Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation

When executed, the worm copies itself in the following locations:

Documents and Settings\All Users\Application Data\hidn\hldrrr.exe
Documents and Settings\All Users\Application Data\hidn\hidn2.exe

In order to be executed on every system start, the worm sets the following Registry entry:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drv_st_key

 

The entry contains path to worm executable. The following Registry entry is deleted:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

 

The following text is displayed in Notepad:

Text decoding error.

 

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
msg
nch
nmf
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml

Addresses containing the following strings are avoided:

..
.@
@.
@avp.
@foo
@iana
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
google
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip

The worm can fetch some addresses from the Internet or generate random ones. Subject of the message is one of the following:

pric
price
price_
price-

The attachment is a ZIP archive, containing an executable of the worm. Name of the attachment is one of the following:

latest_price
new_price
price

Name of the executable inside is random.

Other information

The worm contains a list of 60 URLs. It tries to download several files from the addresses. The files are then executed.