W32/Harwig-B is a worm for the Windows platform.
W32/Harwig-B opens MSN Messenger and send one of the following three messages toany contacts:
man this is sick, check this shit, lol :P <URL>
Here u go: http://...
well? ;)
<URL> points to an executable file. At the time of writing, this URL was unavailable. The file may be another copy of W32/Harwig-B.
If W32/Harwig-B cannot find a copy of MSN messenger on the infected computer it will copy itself to <Windows>\abcdefg.exe.
The following registry entry is created to run abcdefg.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<Windows>\abcdefg.exe
W32/Harwig-B includes functionality to change security settings and modify the HOSTS file.
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\Controlset001\Services\SharedAccess\Parameters\
FirewallPolicy\ StandardProfile\AuthorizedApplications\List
W32/Harwig-B modifies the HOSTS file, changing the URL-to-IP mappings for selected websites, therefore preventing normal access to these sites.The new HOSTS file will typically contain the following:
127.0.0.1 messenger.hotmail.com