W32/Hansah-A is a worm for the Windows platform.
When W32/Hansah-A is installed it copies itself to the following locations:
\chasnah.exe
\ntoskernel.exe
\winamp_5.35_fullMusic_pro.exe
\Documents and Settings\Administrator\Local Settings\Application Data\Administrator.task\chasnah.exe
\Documents and Settings\Administrator\Local Settings\Application Data\Administrator.task\csrss.exe
\Documents and Settings\Administrator\Local Settings\Application Data\Administrator.task\lsass.exe
\Documents and Settings\Administrator\Local Settings\Application Data\Administrator.task\server.exe
\Documents and Settings\Administrator\Local Settings\Application Data\Administrator.task\smss.exe
<User>\Application Data\3gp.exe
<User>\Application Data\avg.exe
<User>\Application Data\flash.exe
<User>\Application Data\folder.exe
<User>\Application Data\free.exe
<User>\Application Data\install.exe
<User>\Application Data\pack.exe
<User>\Application Data\pdf.exe
<User>\Application Data\txt.exe
<User>\Application Data\winamp.exe
<User>\Application Data\winampinstall.exe
<User>\Application Data\zip.exe
<Startup>\start.exe
<Windows>\albasya.exe
<Windows>\sca.exe
<Windows>\sitta.exe
<System>\execute.exe
W32/Hansah-A also creates the following malicious files upon execution:
\Documents and Settings\Administrator\My Documents\cav.exe
\bitblt.exe
\userinit.exe
The following clean files are also created by the worm:
\Documents and Settings\Administrator\Local Settings\Application Data\Administrator.task\folder.ico
<User>\Application Data\chasnah.htm
\Documents and Settings\Administrator\Local Settings\Application Data\Administrator.task\avg.ico
The following registry entries are created to run ntoskernel.exe and bitblt.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Media Adapter
\bitblt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
sittachasnahalbasya
\ntoskernel.exe
The following registry entries are changed to run sitta.exe and userinit.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows>\sitta.exe
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
\userinit.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").
The following registry entries are set or modified, so that execute.exe is run when files with extensions of BAT, COM, EXE, PIF and SCR are opened/launched:
HKCR\batfile\shell\open\command
(Default)
<System>\execute.exe "%1" %*
HKCR\comfile\shell\open\command
(Default)
<System>\execute.exe "%1" %*
HKCR\exefile\shell\open\command
(Default)
<System>\execute.exe "%1" %*
HKCR\piffile\shell\open\command
(Default)
<System>\execute.exe "%1" %*
HKCR\scrfile\shell\open\command
(Default)
<System>\execute.exe "%1" %*
Registry entries are set as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
chekedValue
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
unchekedValue
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
DefaultValue
0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Type
<no value>
HKCR\.reg
(Default)
txtfile
W32/Hansah-A attempts to periodically copy itself to removeable drives, including floppy drives and USB keys under some of the following names:
Data Administrator_pdf_files.exe
Extract_Skin_Winamp.exe
Install_Deep_Sea_Screensaver.exe
Install_winamp_full5.25_pro.exe
Lirik & chord.exe
miyabi_new_face_chunk_19.3gp.exe
[FileCargo[19].com] DPR-RI_Zaini Yahya.3gp.exe
AV.Fuck.exe
avg72free_435a 19.exe
<_Recycled>19 _Recycled.exe
<_Recycled>Administrator _Recycled.3gp.exe
<_Recycled>\Administrator.exe