WORM_HOBBIT.B

Malware type: Worm

Aliases: Email-Worm.Win32.Alcaul.ab (Kaspersky), W32/Hobbit.b@MM (McAfee), W32.Hobble.C@mm (Symantec), Worm/Alcaul.AB (Avira), W32/Hobbit-C (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: Yes

Overall risk rating:

Description: 

This worm spreads via email and the Kazaa file sharing network.

The details of the Email could be any of the following:

Subject: Fwd: Scan your computer for this new virus threat...
Message Body: This is a fix and removal for the new internet worm known as BugBear. 1 in ever 4 computers in infected with this virus. When run, it will scan your computer and notify you if you're infected or not, then clean if infected
Attachment: Anti-Bug.exe

Subject: AntiVirus Updates:
Message Body: A Removal to scan for the new BugBear Virus. Recommended by (followed by name of sender)
Attachment: Varies

Due to some errors in its code, this worm fails to send email messages.

For additional information about this threat, see:

Description created: Oct. 12, 2002 4:11:51 PM GMT -0800
Description updated: Oct. 16, 2002 11:05:53 AM GMT -0800


TECHNICAL DETAILS


Size of malware: Compressed: 23,040 Bytes
Uncompressed: 61,440 Bytes

Initial samples received on: Oct 12, 2002

Details:

This worm, created in Visual Basic, requires the following files to execute:

  • MSVBVM60.DLL
  • MSINET.OCX
  • MSWINSCK.OCX

It sometimes arrives as a UPX-compressed executable file that displays the following message box when executed:

WORM_HOBBIT.B sometimes arrives as a UPX-compressed executable file that displays a message box containing the text strings - kn0x 0wnx, System Not Infected with Bugbear, when executed

Mass-Mailing Routine

This worm uses Mail Application Programming Interface (MAPI) and Simple Mail Transport Protocol (SMTP) to send email messages. It uses MAPI to send copies of itself to all email addresses listed in the Outlook Address book.

The details of the email message it sends are as follows:

Subject: Fwd: Scan your computer for this new virus threat...
Message Body: This is a fix and removal for the new internet worm known as BugBear. 1 in ever 4 computers in infected with this virus. When run, it will scan your computer and notify you if you're infected or not, then clean if infected
Attachments: Anti-Bug.exe

It uses SMTP to send email messages to all email addresses listed in the EMAIL.TXT file. To send an email, it connects to the infected system�s predefined SMTP server, which is taken from this registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Account Manager\Accounts\
00000001,SMTP Server

The details of the email are as follows:

Subject: AntiVirus Updates:
Message Body: A Removal to scan for the new BugBear Virus. Recommended by (followed by the SMTP display name)
Attachments: Chosen from the dropped files.

Due to some errors in its code, this worm fails to actually send email messages.

Propagation Via Kazaa

If any of the following Kazaa shared folder is present, it copies itself to each of these folders using different filenames:

  • C:\KaZaA\My Shared Folder\
  • C:\Program Files\KaZaA\My Shared Folder\

It uses any of the following filenames:

  • All GamesHack.exe
  • Credit Cards.exe
  • HotMailHack.exe
  • HotMailHack.exe
  • ICQ Password Hack.exe
  • Macromedia Flash MX.exe
  • Swat 3 Full Download.exe
  • Tacony.exe
  • Unreal Tournament 3 FullDownloader.exe
  • WarCraft III Full.exe
  • WIN XPCrack.exe

Installation

This worm copies itself to a Shizzle.exe file in the Windows directory. Then it adds this registry entry so that its copy executes upon system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
WinSrv=%Windows%\ Shizzle.exe

In the same folder as its copy, it creates files, ZIPPY.EXE and EMAIL.TXT, in the same folder. It attempts to download a file from the Internet and saves it as ZIPPY.EXE. If the download is not successful, the file is empty.

This worm searches for the text string �mailto� in selected HTML files to obtain email addresses and then saves these to the EMAIL.TXT file.

It drops a number of files as follows in the same directory where it is found. Some of the dropped files are exact copies of the worm and some contain codes of a non-destructive batch file. The extension of these files could be EXE, PIF, BAT, or SCR:

  • Anti 0190 Dialer
  • Bearshare_Fix
  • Beyond_FF11
  • Borland Delphi 6 Key
  • Borland Delphi(all) Crack
  • Britney Spears Nude
  • Claudia_Schiffer
  • Cube Emulator
  • Edonkey_Fix
  • Email Bomber
  • Final_Fantasy10
  • Flock_Update
  • FTP Cracker
  • FullSpeed
  • Hotmail Hacker Tool
  • I-Explorer7.0
  • Jenifer Lopez Naked
  • Kaza_Fix
  • Kaza_Lite_Update_Fix
  • McAffea_KeyGen
  • Morpheus_Update_Fix
  • New_Napster_Clone
  • Pamela_Live_Fucking
  • Ps2 Crack
  • Ps2 Emulator
  • Reboot
  • Shakira Nude
  • Symantec_KeyGen
  • WinMx Hack
  • WinXP_Crack
  • XBox Emulator

It may also choose the filename of the dropped files from the following:

  • aCe1.theme
  • AddamsFamily.theme
  • AlexanderGrahamBellSecrets.zip
  • BackstreetBoys.theme
  • BritneySpearsNude.theme
  • ChristinaAguilera.theme
  • CIASecrets.zip
  • CounterStrikeCheats.zip
  • CourtneyCoxNude.theme
  • CplusplusUnleashed.zip
  • CreditCardNumbers.zip
  • CreditCards.zip
  • DisneyBedTimeStories.zip
  • DragonballZ.theme
  • DrNo.theme
  • EroticStories.zip
  • Goldfinger.theme
  • HackApacheServersScript.bat
  • Hackers.theme
  • HackHotmailScript.bat
  • HackIISServersScript.bat
  • Hacking101.zip
  • HackMozillaServersScript.bat
  • HackPayPalScript.bat
  • HackSQLServersScript.bat
  • HackXBoxScript.bat
  • HackYahooScript.bat
  • JamesBond.theme
  • JokeForTheDay.zip
  • kn0x.theme
  • LearnCSharp.zip
  • LearnKylix.zip
  • LearnPHP.zip
  • LearnVisualBasic.NET.zip
  • LearnVisualBasic.zip
  • LearnVisualC.zip
  • LearnVisualFoxPro.zip
  • LordoftheRings.theme
  • MakeMillions.zip
  • MichelleBranch.theme
  • NewsweekSeptemberEditionCompressed.zip
  • NicoleKidmanFuck.theme
  • NikolaTeslaNotes.zip
  • NSync.theme
  • Phreaking.zip
  • PlayboyCenterFolds.theme
  • RedirectMeToHollywood.bat
  • SamuraiX.theme
  • SecretsOfAlbertEinstein.zip
  • SecretsOfMicrosoftdotNET.zip
  • Shakira Nude.theme
  • StarWars.theme
  • StephenKingUnreleasedNotes.zip
  • temp.bat
  • temp.theme
  • TheHives.theme
  • ThomasEdisonSecrets.zip
  • TipsOnMakingYourPartnerWild.zip
  • TroubleshootingyourComputer.zip
  • VirusWriting.zip
  • WindowsSourceCodeRedirect.bat
  • XXX.theme
  • YouWantToBeAMillionaire.zip

Payload

This worm attempts to cause a Denial of Service (DOS) attack on a Web site:
www.dokfleed.net

To execute a DOS attack, it continuously sends PING requests, each containing 10,000 Bytes, to the Web site.

This worm also attempts to modify system settings to disable the Windows Desktop.


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.363.00

Pattern release date: Oct 12, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

On Windows 9X/ME Systems

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    WinSrv
  4. Close Registry Editor
  5. Restart your system

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_HOBBIT.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

On Windows NT/2000/XP Systems

Terminating the Malware Program

This procedure terminates the running malware process from memory.

  1. Open Windows Task Manager.
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Applications tab.
  2. In the list of running applications, locate the applications named:
    TAC1
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system. Repeat until no more applications named TAC1 are running.
  4. Close Task Manager.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    WinSrv
  4. Close Registry Editor

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_HOBBIT.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.