W32/Harwig-B

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Harwig-B is a worm for the Windows platform.

W32/Harwig-B opens MSN Messenger and send one of the following three messages toany contacts:

man this is sick, check this shit, lol :P <URL>

Here u go: http://...

well? ;)

<URL> points to an executable file. At the time of writing, this URL was unavailable. The file may be another copy of W32/Harwig-B.

If W32/Harwig-B cannot find a copy of MSN messenger on the infected computer it will copy itself to <Windows>\abcdefg.exe.

The following registry entry is created to run abcdefg.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<Windows>\abcdefg.exe

W32/Harwig-B includes functionality to change security settings and modify the HOSTS file.

The following registry entry is set, affecting internet security:

HKLM\SYSTEM\Controlset001\Services\SharedAccess\Parameters\
FirewallPolicy\ StandardProfile\AuthorizedApplications\List

W32/Harwig-B modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites.The new HOSTS file will typically contain the following:

127.0.0.1 messenger.hotmail.com