Selected viruses, spyware, and other threats: sorted alphabetically
Installation
When executed, the worm copies itself in the following locations:
In order to be executed on every system start, the worm sets the following Registry entry:Documents and Settings\All Users\Application Data\hidn\hldrrr.exe
Documents and Settings\All Users\Application Data\hidn\hidn2.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drv_st_key
The entry contains path to worm executable. The following Registry entry is deleted:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
The following text is displayed in Notepad:
Text decoding error.
Spreading via e-mail
E-mail addresses for further spreading are searched for in local files with one of the following extensions:
Addresses containing the following strings are avoided:adb
asp
cfg
cgi
dbx
dhtm
eml
htm
jsp
mbx
mdx
mht
msg
nch
nmf
ods
oft
php
pl
sht
shtm
stm
tbb
txt
uin
wab
wsh
xls
xml
The worm can fetch some addresses from the Internet or generate random ones. Subject of the message is one of the following:..
.@
@.
@avp.
@foo
@iana
abuse
admin
anyone@
bsd
bugs@
cafee
certific
contract@
f-secur
feste
free-av
gold-certs@
help@
icrosoft
info@
kasp
linux
listserv
local
news
nobody@
noone@
noreply
ntivi
panda
pgp
postmaster@
rating@
root@
samples
sopho
spam
support
unix
update
winrar
winzip
The attachment is a ZIP archive, containing an executable of the worm. Name of the attachment is one of the following:pric
price
price_
price-
Name of the executable inside is random.latest_price
new_price
price
Other information
The worm contains a list of 60 URLs. It tries to download several files from the addresses. The files are then executed.
