Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Hydra

Aliases: Win32.Hadra

Win32/Hydra is an email worm programmed in the language Visual Basic.  Its original size is 26073 bytes but after being compressed by means of the utility UPX it is decreased to 12249 bytes.  The worm spreads as a file with .EXE extension in an attachment of email messages.
The infection is executed after the abovementioned attachment of an email message is run.  The worm performs its decompression and installs itself into the system.  It ensures its activation after the next system restart by creating the following keys in the system registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]

All these keys are set so that they ensure activation of the file msserv.exe which contains the worm copy.  After the worm is run it creates this file in the directory where the operating system Windows is installed.  In an effort to prevent detection of its presence on the infected computers the worm searches the memory for running processes of “dangerous” applications and finishes them.  List of applications that the worm finishes is rather long.

File Monitor
Trend PC-cillin
Dr.Web
Amon
AVG
NOD32
AVP Monitor
AntiVir
Vshwin
F-STOPW
F-Secure
vettray
InoculateIT
Norman Virus Control
navpw32
Norton AntiVirus
Registry Monitor
Registry Editor
Task Manager
AVPUPDATES

On the list are mainly anti-virus programs and parts of operating system which make it possible to detect the worm’s presence and remove it.
After installation the worm takes over the control of sending and delivering mail by means of Microsoft Outlook.  In the incoming mail it deletes EXE files sent as an attachment if their length is the same as the length of the worm.  When sending mail with attachments the worm substitutes the first attachment by its copy with the same name and extension EXE.  If the message does not have attachments the worm attaches its copy with a random name to it.
An interesting feature of the worm is that it connects to one of the following FTP servers and downloads the defined file.

ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe

From that file the worm installs the client for SETI (Search for ExtraTerrestrial Intelligence), which links  the computer to the distributed network for searching for extraterrestrial civilisations.  The computer then processes data that are added in favour of a member of this network with registration GL_STORM and with the email address gl_storm@seznam.cz.  The address belongs probably to the worm author. Activation of the client for SETI is ensured by newly created keys in the system registry.
There is a text string visible in the worm body:

[I-Worm.Hydra] ...by gl_st0rm of [mions]

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.