W32/Ahker-C

Aliases	Email-Worm.Win32.Anker.c WORM_AHKER.C
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	21 February 2005 09:19:04 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please contact technical support.

More Information

Summary
Action
More Information

W32/Ahker-C is a mass-mailing worm which spreads by sending a copy of itself to addresses found in the Outlook address book.

W32/Ahker-C downloads a ZIP archive copy of itself to C:\ParisXXX.zip and sends it in an email which arrives with the following characteristics:

Subject line: Paris Hilton...download it!

Message body:
Hey man..Download it...I never saw paris gettin' fucked this way!
Ohhhh man! you better watch the first 23 mins of this clip!

Attached file: ParisXXX.zip

W32/Ahker-C copies itself as msahker.exe to the Startup and Windows folders.

W32/Ahker-C writes the following lines to the HOSTS file to deny access to certain websites:

127.0.0.1 www.astalavista.com
127.0.0.1 www.cnn.com
127.0.0.1 www.coderheaven.com
127.0.0.1 www.cyber-underground.net
127.0.0.1 www.fbi.gov
127.0.0.1 www.gamerevolution.com
127.0.0.1 www.geocities.com
127.0.0.1 www.google.com
127.0.0.1 www.hackers.com
127.0.0.1 www.hotmail.com
127.0.0.1 www.idm.net.lb
127.0.0.1 www.library.2ya.com
127.0.0.1 www.liveupdate.symantecliveupdate.com
127.0.0.1 www.messenger.msn.com
127.0.0.1 www.microsoft.com
127.0.0.1 www.msn.com
127.0.0.1 www.norton.com
127.0.0.1 www.rohitab.com
127.0.0.1 www.symantec.com
127.0.0.1 www.windowsupdate.microsoft.com
127.0.0.1 www.worldsex.com
127.0.0.1 www.wwe.com
127.0.0.1 www.yahoo.com

W32/Ahker-C creates the text file c:\Norton AntiVirus.txt. This file is harmless and can be deleted.

W32/Ahker-C sets the following registry entries:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\systemrestore
DisableSR
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisallowRun
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
1
regedit.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
2
notepad.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
3
wordpad.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
4
write.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
5
wuauclt.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
6
wupdmgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
7
%Program Files%\MSN Messenger\msnmsgr.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
8
%Program Files%\Symantec\Liveupdate\LUALL.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
9
%Program Files%\Symantec\Liveupdate\AUPDATE.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
10
%Program Files%\Symantec\Liveupdate\ALUNOTIFY.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\security center
FirewallDisableNotify
1

HKCU\Software\Microsoft\security center
UpdatesDisableNotify
1

HKCU\Software\Microsoft\security center
AntiVirusDisableNotify
1

HKCU\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKCU\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
msahker.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runservices-
Ahker Service
msahker.exe

HKLM\SOFTWARE\Microsoft\security center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\security center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\security center
AntiVirusDisableNotify
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog
ComputerName
Agent Hacker

HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName
ComputerName
Agent Hacker

HKLM\SOFTWARE\Classes\txtfile\shell\open\command
msahker.exe %1

W32/Ahker-C will attempt to initiate a system reboot every few minutes. The worm will also append the following text to the file %WINDOWS%\system32\hal.dll

"Genes don't contain any record of humain history, you'll NEVER catch me!(Agent Hacker - Bazzi)"

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Ahker-C

Summary

Action

More Information