W32/Holar-I

Please follow the instructions for removing worms.

Delete the file smtp.ocx if it is unwanted.

You should also check your Internet Explorer settings using Tools|Internet options|General for any modifications made by the worm.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Explore= <Drive letter>:\%system%\explore.exe

and delete it if it exists.

Close the registry editor.

W32/Holar-I is an internet worm which spreads via file sharing on peer-to-peer networks and by emailing itself to addresses found on the local computer in such places as the Outlook address book and TXT, HTML, HTM and EML files.

The worm may arrive in an email using one of the following subject lines:
Fw:
Re:
Check this out ;)
Enjoy!
This is all i can send
Have Fun :)
You gonna love it
Here is what u wanted
:)
Wait for more :)
looool
Take a look
Never mind !
Attatchments
See the attatched file
gift :)
Surprise!
save it for hard times
Happy Times :)
Useful
Very funny
Try it
you have to see this!
emazing!

The name of the attached file will be that of the executing worm.

W32/Holar-I searches the registry for the path to the KaZaA share folder and will copy itself to that location with a PIF, EXE, COM, BAT or SCR extension. An example would be:
<Drive letter>:\Program Files\KaZaA\My Shared Folder\Kazaa.bat

W32/Holar-I will also copy itself to the Windows system folder using the executed worm filename with a .SYS extension. Other files created in the Windows system folder, that may also be copied to the Windows temp folder, include explore.exe, smtp.ocx and a.pif (can also have EXE, BAT, SCR or COM extension).

The file smtp.ocx is a legitimate software component and therefore detection is not included for this file.

The following registry entry is created to ensure the worm is activated at system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explore
= <Drive letter>:\%system%\explore.exe

The default Internet Explorer start page registry entry is changed to:

HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
= http://www.geocities.com/yori_mrakkadi

The following registry entries are added for the purposes of infection marker and payload timing respectively:

HKLM\Software\Microsoft\Windows\a
HKCU\DeathTime

The registry entry HKCU\DeathTime stores a counter of the number of times W32/Holar-I has been run. When the value of this registry entry reaches 30, the computer will stop responding to input and the following message will be displayed over the entire screen in red on a black background:

"! have noth!na say bam st!ll ZaCker !"

This will happen almostly immediately everytime the computer starts up until the worm is removed.