WORM_HOLAR.C

Malware type: Trojan

Aliases: Email-Worm.Win32.Galil (Kaspersky), W32/Holar.gen (McAfee), W32.Galil@mm (Symantec), Worm/Holar.C.1 (Avira), W32/Holar-C (Sophos),

In the wild: No

Destructive: Yes

Language: English

Platform: Windows 95/98/NT/2000/ME/XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident, mass-mailing worm propagates copies of itself via email to all addresses found in the infected system using either its own SMTP (Simple Mail Transfer Protocol) engine or Microsoft Outlook (using MAPI or Messaging Application Programming Interface). It gathers email addresses from HTM and HTML files found in the infected system.

It sends out the following email message:

WORM_HOLAR.C spreads by mass mailing copies of itself to email addresses which it retrieves from HTM and HTML files on the infected machine. It sends email with the following details: Subject FWD: Crazy illegal sex ! Message body: Hii Is it really illegal in da USA? who knows :P If you have a weak heart i warn u DON'T see dis Clip. Emagine two young children havin crazy sex fo da first time togetha ! loooool i'm still wonderin where thier parents were? Good Fuck , oh sorry : > i mean  Good Luck ;) Bye

(Note that the message body contains initial text strings that trick recipients into thinking that the email message was forwarded by a Yahoo user.)

The executable attachment, which may arrive inside a ZIP file, has an icon that is usually associated with ShockWave Flash files.

At approximately 15 minutes after this worm has executed, it overwrites all files in all folders of writable drives with the following text strings:

1-No PeaCe WithOut WaR _ >> TT TT >>> 11>>>OoO>>9\Om >> TiiT >>> YX >>OOo>>11\Om >> OXBYL -> Haw >> ()()9.9.12MP _1s00x05y988z877c7y7756477v77x7777g8oro885t55oro312852oro14P,u 2- Made By ZaCker

It is written in Visual Basic, a high-level programming language, and is compressed using the UPX compression utility.

For additional information about this threat, see:

Description created: Dec. 5, 2002 9:51:28 AM GMT -0800
Description updated: Dec. 5, 2002 10:12:12 AM GMT -0800


TECHNICAL DETAILS


Size of malware: UPX-compressed= 54,514 Bytes
Uncompressed= 80,526 Bytes

Initial samples received on: Dec 5, 2002

Variant ofWORM_HOLAR.A

Payload 1: Deletes Files (in drives D, E, F, and G)

Trigger condition 1: Upon execution

Details:

Installation and Autostart Technique

Upon execution, this memory-resident worm displays a graphical window of an animated progress bar:

WORM_HOLAR.C Upon execution, this memory-resident worm displays the following message - Loading...

Simultaneously, it drops a copy of itself as iLLeGaL.exe in the Windows system folder and then creates this autorun registry entry to enable its automatic execution every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
"iLLeGaL" = %System%\Mplayer.exe

(%System% refers to the Windows system directory, usually C:\Windows\System or C:\WinNT\System32.)

Aside from the autorun entry, the worm also adds this registry entry, which automatically increments whenever it is executed:

HKEY_LOCAL_MACHINE "iLLeGal" = 1

This worm then drops the file, MPLAYER.EXE (13,824 Bytes) in the Windows system folder, and sets it with hidden, read-only, and system attributes. Then, it executes the file and installs it in memory. This file contains the mass-mailing routine of the worm.

Note: The dropped MPLAYER.EXE file is entirely different from the legitimate Windows file, which is also named MPLAYER.EXE. The legitimate file is found in the Windows folder and is not hidden like the dropped worm file. File size and attributes should be properly checked when deleting this file.

It also drops these non-malicious files in the Windows System folder:

  • SMTP.OCX (25,737 Bytes)
  • MMAILS.DLL (varies in size)

SMTP.OCX is an advanced Active-X Control library file and is used by this malware for its mailing routine. The worm uses the MMAILS.DLL file to store all the email addresses of its target recipients. It gathers email addresses by looking for the string, "mailto:", on HTM and HTML files on the infected system.

After dropping the above-mentioned files, it displays another message box:

After dropping the non-malicious file WORM_HOLAR.C displays a message box with the title Sorry!

Then, it displays another graphical window:

WORM_HOLAR.C upon dropping the non-malicious file displays a window with the text strings - it was a lil Joke don't be mad:

Mass-mailing Routine

This worm spreads by mass-mailing copies of itself to email addresses which it retrieves from HTM and HTML files in the infected machine. It uses its own SMTP engine or Microsoft Outlook (using MAPI or Messaging Application Programming Interface) to carry out its mailing routine.

It sends out an email message:

WORM_HOLAR.C spreads by mass mailing copies of itself to email addresses which it retrieves from HTM and HTML files in the infected machine. It sends email with the following details: Subject FWD: Crazy illegal sex ! Message body: Hii Is it really illegal in da USA? who knows :P If you have a weak heart i warn u DON'T see dis Clip. Emagine two young children havin crazy sex fo da first time togetha ! loooool i'm still wonderin where thier parents were? Good Fuck , oh sorry : > i mean  Good Luck ;) Bye

Note: The message body contains initial text strings that resembles a forwarded email message from a Yahoo user.

Destructive Payload

At approximately 15 minutes after this worm has executed, it overwrites all files in all folders of writable drives with the following text strings:

1-No PeaCe WithOut WaR _ >> TT TT >>> 11>>>OoO>>9\Om >> TiiT >>> YX >>OOo>>11\Om >> OXBYL -> Haw >> ()()9.9.12MP _1s00x05y988z877c7y7756477v77x7777g8oro885t55oro312852oro14P,u 2- Made By ZaCker

It also displays a message box containing these text strings:

�No Peace Without war,i hate war but im forced to love it,Hidden Power's gonna b there wherever u r�

This worm is also designed to delete all files in the drives D, E, F, and G if the value of this registry entry equals 5:

HKEY_LOCAL_MACHINE\ILLeGal
<integer value>

The worm, however, fails to execute this malicious intent.

Other Details

This worm is written in Visual Basic, a high-level programming language, and is compressed using the UPX compression utility.

Revision History:

First pattern file version: 4.794.05
First pattern file release date: Oct 25, 2007

SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 5.541.00

Pattern release date: Sep 14, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process from memory.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the process:
    %SYSTEM%\MPLAYER.EXE
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  3. In the right panel, locate and delete the entry or entries:
    "iLLeGal" = "%System%\Mplayer.exe"
    *Where %System% is the Windows system directory, which is usually C:\Windows\System or C:\WINNT\System32.

Removing a Malware Entry in the Registry

  1. Still in the Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>iLLeGal
  2. Still in the left panel, delete this key:
    iLLeGal
  3. Close Registry Editor.

Deleting Malware Files

Delete these files from the Windows system folder:

  • Mplayer.exe (13,824 Bytes) Note: This dropped file is entirely different from the legitimate Windows file, MPLAYER.EXE, and should not be confused with that file. The legitimate file is usually located in the Windows folder and is not hidden like this dropped worm file. File size and attributes should be properly checked when deleting this file.
  • Illegal.exe

Deleting Dropped Files

Delete these non-malicious files that the worm has dropped in the Windows System folder of your computer:

  • SMTP.OCX (25,737 Bytes)
  • MMAILS.DLL (varies in size)

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_HOLAR.C. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.