high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Included in our products from | May 2006 (4.05) |
| Protection available since | 6 March 2006 21:59:10 (GMT) |
| Last updated | 27 March 2006 05:02:13 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Hilder-A is a mass-mailing worm for the Windows platform.
W32/Hilder-A will attempt to run its own VBScript code in order to email itself to other computers using Microsoft Outlook if it is installed. W32/Hilder-A sends emails to addresses found in the Outlook address book with the subject line "GEIL!" and message text "Heisse Bilder im Anhang!".
W32/Hilder-A also includes functionality to access the internet and communicate with a remote server via HTTP. W32/Hilder-A is a mass-mailing worm for the Windows platform.
W32/Hilder-A is a hybrid worm comprising sections written in assembly, batch scripting language, and VBScript. Despite its EXE extension it is executed as a 16-bit COM executable.
When first run W32/Hilder-A copies itself to the following locations (if available) :
<user>\STARTM~1\progra~1\autost~1\wind0ws.exe
<Windows folder>\WINSECURITY\CSRSS.EXE
<Windows folder>\WINSECURITY\SERVICES.EXE
<Windows folder>\WINSECURITY\SMSS.EXE
<Windows folder>\WINSECURITY\SOCKET1.IFO
<Windows folder>\WINSECURITY\SOCKET2.IFO
<Windows folder>\WINSECURITY\SOCKET3.IFO
G:\wichtig.exe
A:\wichtig.exe
C:\FUUU.exe
C:\FU.exe
C:\me.exe
C:\by.exe
C:\u were infected.exe
<Windows folder>\INF3CTED.EXE
<Windows folder>\NET5KY.EXE
<Windows folder>\SA55ER.EXE
<Windows folder>\MYD00M.EXE
C:\Dokumente und Einstellungen\All Users\Dokumente\funny.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\unbelieveable.exe
<Windows folder>\TEMP\FU0001.TMP
<Windows folder>\TEMP\FU0002.TMP
C:\hiberfile.sys
W32/Hilder-A will also attempt to delete files from the following locations in order to disable anti-virus protection :
C:\programme\mcafee\*.*
C:\programme\symantec\*.*
This attempt is specifically aimed at the German version of Windows.
W32/Hilder-A will attempt to run its own VBScript code in order to email itself to other computers using Microsoft Outlook if it is installed. W32/Hilder-A sends emails to addresses found in the Outlook address book with the subject line "GEIL!" and message text "Heisse Bilder im Anhang!".
W32/Hilder-A also includes functionality to access the internet and communicate with a remote server via HTTP.
|
