WORM_HOBBIT.F

Malware type: Worm

Aliases: Email-Worm.Win32.Alcaul.aa (Kaspersky), W32/Hobbit.gen (McAfee), W32.Hobble.F@mm (Symantec), Worm/Alcaul.AA (Avira), W32/Hobbit-E (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This worm uses the Kazaa file sharing network as a means to propagate copies of itself. It also attempts to propagate via email using SMTP commands but fails to execute this intent due to errors in its code. Aside from this, when run, it also displays a message box, and downloads a nonmalicious file from an Internet site.

For additional information about this threat, see:

Description created: Nov. 12, 2002 3:39:56 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 18,432 Bytes (compressed); 53,248 Bytes (decompressed)

Initial samples received on: Nov 12, 2002

Related toWORM_HOBBIT.A, WORM_HOBBIT.B, WORM_HOBBIT.C

Details:
Installation

Upon execution, it drops a copy of itself as KN0X.EXE in the Windows folder, and creates an autorun entry in the registry so that it executes at every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinSrv = "%Windows%\kn0x.exe"

Then it drops two files with random file names in the current folder. The file names are chosen from the following list found in its body:

  • Bearshare_Fix.exe
  • I-Explorer7.0.exe
  • Morpheus_Update_Fix.exe
  • Kaza_Lite_Update_Fix.exe
  • Kaza_Fix.exe
  • Edonkey_Fix.exe
  • WinXP_Crack.exe
  • Symantec_KeyGen.exe
  • McAffea_KeyGen.exe
  • Flock_Update.exe
  • WinMx Hack.exe
  • New_Napster_Clone.exe
  • Pamela_Live_Fucking.exe
  • Beyond_FF11.exe
  • Final_Fantasy10.exe
  • Reboot.exe
  • Claudia_Schiffer.exe
  • FullSpeed.exe
  • Email Bomber.exe
  • FTP Cracker.exe
  • Hotmail Hacker Tool.exe
  • Anti 0190 Dialer.exe
  • Britney Spears Nude.exe
  • Shakira Nude.exe
  • Jenifer Lopez Naked.exe
  • Ps2 Emulator.exe
  • Cube Emulator.exe
  • Ps2 Crack.exe
  • XBox Emulator.exe
  • Borland Delphi 6 Key.exe
  • Borland Delphi(all) Crack.exe
  • I-Explorer7.0.pif
  • Morpheus_Update_Fix.pif
  • Kaza_Lite_Update_Fix.pif
  • Kaza_Fix.pif
  • Edonkey_Fix.pif
  • WinXP_Crack.pif
  • Symantec_KeyGen.pif
  • McAffea_KeyGen.pif
  • Flock_Update.pif
  • Bearshare_Fix.pif
  • New_Napster_Clone.pif
  • Hackers.theme
  • Pamela_Live_Fucking.pif
  • Beyond_FF11.pif
  • Final_Fantasy10.pif
  • Reboot.pif
  • Claudia_Schiffer.pif
  • FullSpeed.pif
  • Email Bomber.pif
  • FTP Cracker.pif
  • Hotmail Hacker Tool.pif
  • Anti 0190 Dialer.pif
  • WinMx Hack.pif
  • Britney Spears Nude.pif
  • Shakira Nude.pif
  • Jenifer Lopez Naked.pif
  • Ps2 Emulator.pif
  • Cube Emulator.pif
  • Ps2 Crack.pif
  • XBox Emulator.pif
  • Borland Delphi 6 Key.pif
  • Borland Delphi(all) Crack.pif
  • I-Explorer7.0.bat
  • Morpheus_Update_Fix.bat
  • Kaza_Lite_Update_Fix.bat
  • Kaza_Fix.bat
  • Edonkey_Fix.bat
  • WinXP_Crack.bat
  • Symantec_KeyGen.bat
  • McAffea_KeyGen.bat
  • Flock_Update.bat
  • Bearshare_Fix.bat
  • New_Napster_Clone.bat
  • DragonballZ.theme
  • Pamela_Live_Fucking.bat
  • Beyond_FF11.bat
  • Final_Fantasy10.bat
  • Reboot.bat
  • Claudia_Schiffer.bat
  • FullSpeed.bat
  • Email Bomber.bat
  • FTP Cracker.bat
  • Hotmail Hacker Tool.bat
  • Anti 0190 Dialer.bat
  • WinMx Hack.bat
  • Britney Spears Nude.bat
  • Shakira Nude.bat
  • Jenifer Lopez Naked.bat
  • Ps2 Emulator.bat
  • Cube Emulator.bat
  • Ps2 Crack.bat
  • XBox Emulator.bat
  • Borland Delphi 6 Key.bat
  • Borland Delphi(all) Crack.bat
  • I-Explorer7.0.scr
  • Morpheus_Update_Fix.scr
  • Kaza_Lite_Update_Fix.scr
  • Kaza_Fix.scr
  • Edonkey_Fix.scr
  • WinXP_Crack.scr
  • Symantec_KeyGen.scr
  • McAffea_KeyGen.scr
  • Flock_Update.scr
  • Bearshare_Fix.scr
  • New_Napster_Clone.scr
  • SamuraiX.theme
  • Pamela_Live_Fucking.scr
  • Beyond_FF11.scr
  • Final_Fantasy10.scr
  • Reboot.scr
  • Claudia_Schiffer.scr
  • FullSpeed.scr
  • Email Bomber.scr
  • FTP Cracker.scr
  • Hotmail Hacker Tool.scr
  • Anti 0190 Dialer.scr
  • WinMx Hack.scr
  • Britney Spears Nude.scr
  • Shakira Nude.scr
  • Jenifer Lopez Naked.scr
  • Ps2 Emulator.scr
  • Cube Emulator.scr
  • Ps2 Crack.scr
  • XBox Emulator.scr
  • Borland Delphi 6 Key.scr
  • Borland Delphi(all) Crack.scr
  • Shakira Nude.theme
  • BackstreetBoys.theme
  • Goldfinger.theme
  • Shrek.theme
  • LordoftheRings.theme
  • StarWars.theme
  • MichelleBranch.theme
  • TheHives.theme
  • DrNo.theme
  • JamesBond.theme
  • NSync.theme
  • AddamsFamily.theme
  • PlayboyCenterFolds.theme
  • BritneySpearsNude.theme
  • ChristinaAguilera.theme
  • aCe1.theme
  • kn0x.theme
  • XXX.theme
  • NicoleKidmanFuck.theme
  • CourtneyCoxNude.theme
  • LearnVisualBasic.zip
  • LearnVisualC.zip
  • Phreaking.zip
  • LearnVisualFoxPro.zip
  • LearnPHP.zip
  • LearnHTML.zip
  • LearnKylix.zip
  • SecretsOfMicrosoftdotNET.zip
  • LearnCSharp.zip
  • LearnVisualBasic.NET.zip
  • CplusplusUnleashed.zip
  • Hacking101.zip
  • EroticStories.zip
  • CreditCards.zip
  • CIASecrets.zip
  • VirusWriting.zip
  • TipsOnMakingYourPartnerWild.zip
  • CreditCardNumbers.zip
  • NewsweekSeptemberEditionCompressed.zip
  • TroubleshootingyourComputer.zip
  • CounterStrikeCheats.zip
  • JokeForTheDay.zip
  • MakeMillions.zip
  • YouWantToBeAMillionaire.zip
  • DisneyBedTimeStories.zip
  • StephenKingUnreleasedNotes.zip
  • NikolaTeslaNotes.zip
  • SecretsOfAlbertEinstein.zip
  • ThomasEdisonSecrets.zip
  • AlexanderGrahamBellSecrets.zip
  • HackSQLServersScript.bat
  • HackIISServersScript.bat
  • HackMozillaServersScript.bat
  • HackHotmailScript.bat
  • HackYahooScript.bat
  • HackApacheServersScript.bat
  • HackXBoxScript.bat
  • HackPayPalScript.bat
  • WindowsSourceCodeRedirect.bat
  • RedirectMeToHollywood.bat

Dropped files having an EXE, PIF, or SCR extensions are copies of the worm, whereas, those having a BAT, THEME, or ZIP extensions are non�malicious files that contains the following batch file commands:

@echo off
ctty nul

Propagation

Once the worm is running in memory, it checks for the existence of the following folders:

  • C:\KaZaA\My Shared Folder\
  • C:\Program Files\KaZaA\My Shared Folder\

If found, it drops at a copy of itself in the said folders using any of the following file names:

  • WIN XPCrack.exe
  • All GamesHack.exe
  • ICQ Password Hack.exe
  • HotMailHack.exe
  • Unreal Tournament 3 FullDownloader.exe
  • WarCraft III Full.exe
  • Swat 3 Full Download.exe
  • Macromedia Flash MX.exe
  • Tacony.exe
  • HotMailHack.exe
  • Credit Cards.exe

This makes the worm accessible to other Kazaa users.

The worm also attempts to propagate via email using SMTP commands but fails to execute this intent due to errors in its virus code. The details of the email message it attempts to send are as follows:

Subject: files for you � from <sender>
Attachment: <any of the dropped copies of the worm>

It also searches for email addresses in HTM and HTML files in the Windows, System, and Temp folders and stores these email addresses in a text file called, email.txt, which it creates in the current folder. This is supposedly used for its mailing routine.

Payload

The worm also has two nondestructive payloads. First, it displays a message box shown below upon execution:

It also downloads a non�malicious file, ZIPPY.EXE, from this Internet site:
http://www.<blocked>.<blocked>.uk/sites/ftp.<blocked>.org/pub/infozip/WIN32/zip23xN.zip/zip.exe?extract=true zippy.exe

This downloaded file is actually a tool to extract the contents of compressed files.


SOLUTION


Minimum scan engine version needed: 5.400

Pattern file needed: 1.383.28

Pattern release date: Nov 12, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_HOBBIT.F. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    WinSrv "%Windows%\kn0x.exe"
    *Where %Windows% is the Windows system directory, which is usually C:\Windows\ or C:\WINNT
  4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Locating and Deleting the Malware Files

  1. Locate the dropped files.
    On Windows 9x/NT
    1. Click Start>Find>Files and Folders.
    2. In the Named input box, type:
      Email.txt
      Zippy.exe
    3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.
    On Windows 2000/ME/XP
    1. Click Start>Search>For Files and Folders.
    2. In the Search for files and folders named input box, type:
      Email.txt
      Zippy.exe
    3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.
  2. Delete the files found.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_HOBBIT.F. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.