W32/Hairy-A

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Hairy-A is a worm for the Windows platform.

W32/Hairy-A will attempt to copy itself and create autorun.inf to removable drives.

When W32/Hairy-A is installed the following files are created:

<Root>\HarryPotter-TheDeathlyHallows.doc
<Root>\autorun.inf
<Root>\harry potter.txt
<Windows>\Tempt\talk.bat

The following registry entry is created to run talk.bat on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
talk
<Windows>\Tempt\talk.bat

W32/Hairy-A changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, affecting internet security:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
EnableFirewall
0

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
DoNotAllowExceptions
0

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr
1

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoViewContextMenu
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoShellSearchButton
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HideClock
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayContextMenu
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoTrayItemsDisplay
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoViewContextMenu
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy