Friday, December 7, 2007

W32/Xiaoho.worm

W32/Xiaoho.worm
Risk Assessment
- Home Users: Low-Profiled
- Corporate Users: Low-Profiled
Origin: N/A
Length: Varies
Type: Virus
SubType: Worm

Virus Characteristics

This detection is for a worm which tries to copy itself to removable drives. It will destroy systems it's used on by infecting all .exe files and changing their icons to the Chinese character HAO.

Upon execution, the worm drops a copy of itself into the Windows System folder:

* %SysDir%\exloroe.exe

The worm creates the following registry keys to activate itself:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\: "ϵͳÉèÖÃ"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H9I12RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}\stubpath: "%SystemRoot%\system32\exloroe.exe"

It spreads by dropping files named autorun.inf and xiaohao.exe on removable drives and setting file attributes as hidden.

The worm infects .exe files by overwriting them or corrupting them beyond repair. This changes their icon to Chinese word HAO.

and changes active window title as "X14o-H4o":

The file C:\Jilu.txt is created to list all the infected files.

The worm also infects .html, .htm, .asp and other script files by inserting iframe with a reference a remote URL.

It also changes system time to Jan 17, 2005 to try to disable antivirus programs.
Indications of Infection

* The infected files' icons change to be the Chinese character HAO.
* Active windows have their title changed to "X14o-H4o',27h,'s Virus"

Method of Infection
This worm may come via malicious link, or it may be spread by its intended method of infected removable drives.
Removal Instructions

All Users:

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations
Aliases
Virus.Win32.Agent.ai, Virus.Win32.Agent.o, W32.Hauxi, W32/Hoaix-A, W32/XiaoHao.A
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Was this information Helpful?