WORM_HOBBIT.A

Malware type: Worm

Aliases: Email-Worm.Win32.Alcaul.ac (Kaspersky), W32/Hobbit.a@MM (McAfee), W32.Hobble.F@mm (Symantec), Worm/Alcaul.AC (Avira), W32/Hobbit-B (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 

This worm propagates via the KaZaA file sharing network. It also attempts to propagate via email. However, due several bugs in its code, it fails to execute its mass-mailing routine. This worm does not have a destructive payload but drops several files on the system.

For additional information about this threat, see:

Description created: Oct. 12, 2002 9:16:21 PM GMT -0800
Description updated: Oct. 12, 2002 11:40:40 PM GMT -0800


TECHNICAL DETAILS


Size of malware: 18,432 Bytes

Initial samples received on: Oct 7, 2002

Payload 1: Propagates via KaZaA

Trigger condition 1: Upon execution

Details:

Installation

Upon execution, this worm drops the following files in the current directory where it is executed:

  • %Filename%.SCR
  • %Filename%.PIF
  • %Filename%.EXE
  • %Filename%.BAT
  • %Filename2%.THEME
  • TEMP.THEME
  • EMAIL.TXT
  • ZIPPY.EXE

The random filename, %Filename%, is chosen from the following list:

  • Anti 0190 Dialer
  • Bearshare_Fix
  • Beyond_FF11
  • Borland Delphi 6 Key
  • Borland Delphi(all) Crack
  • Britney Spears Nude
  • Claudia_Schiffer
  • Cube Emulator
  • Edonkey_Fix
  • Email Bomber
  • Final_Fantasy10
  • Flock_Update
  • FTP Cracker
  • FullSpeed
  • Hotmail Hacker Tool
  • I-Explorer7.0
  • Jenifer Lopez Naked
  • Kaza_Fix
  • Kaza_Lite_Update_Fix
  • McAffea_KeyGen
  • Morpheus_Update_Fix
  • New_Napster_Clone
  • Pamela_Live_F**king
  • Ps2 Crack
  • Ps2 Emulator
  • Reboot
  • Shakira Nude
  • Symantec_KeyGen
  • WinMx Hack
  • WinXP_Crack
  • XBox Emulator

%Filename2%.THEME can take any of the following filenames:

  • aCe1.theme
  • AddamsFamily.theme
  • BackstreetBoys.theme
  • BritneySpearsNude.theme
  • ChristinaAguilera.theme
  • CourtneyCoxNude.theme
  • DragonballZ.theme
  • DrNo.theme
  • Goldfinger.theme
  • Hackers.theme
  • JamesBond.theme
  • kn0x.theme
  • LordoftheRings.theme
  • MichelleBranch.theme
  • NicoleKidmanF**k.theme
  • NSync.theme
  • PlayboyCenterFolds.theme
  • SamuraiX.theme
  • Shakira Nude.theme
  • Shrek.theme
  • StarWars.theme
  • TheHives.theme
  • XXX.theme

The .SCR, .EXE, and .PIF files are copies of this worm. The dropped files
%Filename%.BAT, %Filename2%.THEME, and TEMP.THEME are non-malicious files and are actually copies of a batch file that contains these two lines:

@echo off
ctty nul

The file, EMAIL.TXT, contains email addresses that this worm collects from files in the Temporary Internet folder.

This worm also attempts to download a utility file from the URL:

http://www.mi<blocked>or.ac.uk/sites/ftp.info-zip.org/pub/infozip/WIN32/zip23xN.zip/zip.exe?extract=true

It saves this file as the dropped file, ZIPPY.EXE, in the current directory. If the download is unsuccessful, the same file is left with no content and a file size of zero.

This worm also drops a copy of itself in the Windows directory as kn0x.exe. It then adds the following registry entry so that this dropped copy executes at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
WinSrv = "%Windows%\kn0x.exe"

*Where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.

KaZaA Propagation

The worm checks for the presence of the following folders:

  • C:\KaZaA\My Shared Folder\
  • C:\Program Files\KaZaA\My Shared Folder\

If found, it drops at least one of the following copies of itself in the said folders:

  • All GamesHack.exe
  • Credit Cards.exe
  • HotMailHack.exe
  • HotMailHack.exe
  • ICQ Password Hack.exe
  • Macromedia Flash MX.exe
  • Swat 3 Full Download.exe
  • Tacony.exe
  • Unreal Tournament 3 FullDownloader.exe
  • WarCraft III Full.exe
  • WIN XPCrack.exe

This worm also assigns the filename for its email attachment from the above list.

Email Propagation

This worm uses its own SMTP engine and gets the default SMTP server of the infected machine. It tries to send e-mail to addresses that it has logged in the file EMAIL.TXT. It was designed to send email with the following characteristics:

Subject: RE:
Message Body: files for you � from <Infected user's name>
Attachment: <dropped copy of this worm>

However, due several bugs in its code, it fails to execute this mass-mailing routine.

This worm contains the text strings:

(c) thynK - tac1
Tac0ny Worm


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.362.06

Pattern release date: Oct 7, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE the path and filename of all files detected as WORM_HOBBIT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    WinSrv = "%Windows%\kn0x.exe"
    *Where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.
  4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Deleting Malware Files

  1. Open Windows Explorer. Right-click Start and click Explore.
  2. Navigate to the folders where files were detected as WORM_HOBBIT.A.
  3. Delete the following files if they are present in these folders:
    • TEMP.THEME
    • EMAIL.TXT
    • ZIPPY.EXE
    • aCe1.theme
    • AddamsFamily.theme
    • Anti 0190 Dialer.*
    • BackstreetBoys.theme
    • Bearshare_Fix.*
    • Beyond_FF11.*
    • Borland Delphi 6 Key.*
    • Borland Delphi(all) Crack.*
    • Britney Spears Nude.*
    • BritneySpearsNude.theme
    • ChristinaAguilera.theme
    • Claudia_Schiffer.*
    • CourtneyCoxNude.theme
    • Cube Emulator.*
    • DragonballZ.theme
    • DrNo.theme
    • Edonkey_Fix.*
    • Email Bomber.*
    • Final_Fantasy10.*
    • Flock_Update.*
    • FTP Cracker.*
    • FullSpeed.*
    • Goldfinger.theme
    • Hackers.theme
    • Hotmail Hacker Tool.*
    • I-Explorer7.0.*
    • JamesBond.theme
    • Jenifer Lopez Naked.*
    • Kaza_Fix.*
    • Kaza_Lite_Update_Fix.*
    • kn0x.theme
    • LordoftheRings.theme
    • McAffea_KeyGen.*
    • MichelleBranch.theme
    • Morpheus_Update_Fix.*
    • New_Napster_Clone.*
    • NicoleKidmanF**k.theme
    • NSync.theme
    • Pamela_Live_F**king.*
    • PlayboyCenterFolds.theme
    • Ps2 Crack.*
    • Ps2 Emulator.*
    • Reboot.*
    • SamuraiX.theme
    • Shakira Nude.*
    • Shakira Nude.theme
    • Shrek.theme
    • StarWars.theme
    • Symantec_KeyGen.*
    • TheHives.theme
    • WinMx Hack.*
    • WinXP_Crack.*
    • XBox Emulator.*
    • XXX.theme
  4. Close Windows Explorer.
NOTE: The string ".*" is a wildcard and indicates the possible file extensions: .BAT, .SCR, .EXE, and .PIF.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_HOBBIT.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.