W32/Ahker-C is a mass-mailing worm which spreads by sending a copy of itself to addresses found in the Outlook address book.
W32/Ahker-C downloads a ZIP archive copy of itself to C:\ParisXXX.zip and sends it in an email which arrives with the following characteristics:
Subject line: Paris Hilton...download it!
Message body:
Hey man..Download it...I never saw paris gettin' fucked this way!
Ohhhh man! you better watch the first 23 mins of this clip!
Attached file: ParisXXX.zip
W32/Ahker-C copies itself as msahker.exe to the Startup and Windows folders.
W32/Ahker-C writes the following lines to the HOSTS file to deny access to certain websites:
127.0.0.1 www.astalavista.com
127.0.0.1 www.cnn.com
127.0.0.1 www.coderheaven.com
127.0.0.1 www.cyber-underground.net
127.0.0.1 www.fbi.gov
127.0.0.1 www.gamerevolution.com
127.0.0.1 www.geocities.com
127.0.0.1 www.google.com
127.0.0.1 www.hackers.com
127.0.0.1 www.hotmail.com
127.0.0.1 www.idm.net.lb
127.0.0.1 www.library.2ya.com
127.0.0.1 www.liveupdate.symantecliveupdate.com
127.0.0.1 www.messenger.msn.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.norton.com
127.0.0.1 www.rohitab.com
127.0.0.1 www.symantec.com
127.0.0.1 www.windowsupdate.microsoft.com
127.0.0.1 www.worldsex.com
127.0.0.1 www.wwe.com
127.0.0.1 www.yahoo.com
W32/Ahker-C creates the text file c:\Norton AntiVirus.txt. This file is harmless and can be deleted.
W32/Ahker-C sets the following registry entries:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
1
regedit.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
2
notepad.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
3
wordpad.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
4
write.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
5
wuauclt.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
6
wupdmgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
7
%Program Files%\MSN Messenger\msnmsgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
8
%Program Files%\Symantec\Liveupdate\LUALL.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
9
%Program Files%\Symantec\Liveupdate\AUPDATE.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
10
%Program Files%\Symantec\Liveupdate\ALUNOTIFY.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\security center
FirewallDisableNotify
1
HKCU\Software\Microsoft\security center
UpdatesDisableNotify
1
HKCU\Software\Microsoft\security center
AntiVirusDisableNotify
1
HKCU\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1
HKCU\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
msahker.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runservices-
Ahker Service
msahker.exe
HKLM\SOFTWARE\Microsoft\security center
FirewallDisableNotify
1
HKLM\SOFTWARE\Microsoft\security center
UpdatesDisableNotify
1
HKLM\SOFTWARE\Microsoft\security center
AntiVirusDisableNotify
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog
ComputerName
Agent Hacker
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName
Agent Hacker
HKLM\SOFTWARE\Classes\txtfile\shell\open\command
msahker.exe %1
W32/Ahker-C will attempt to initiate a system reboot every few minutes. The worm will also append the following text to the file %WINDOWS%\system32\hal.dll
"Genes don't contain any record of humain history, you'll NEVER catch me!(Agent Hacker - Bazzi)"