PE_HANTANER.A

Malware type: File Infector

Aliases: Virus.Win32.HLLP.Hantaner.a (Kaspersky), W32/HLLP.Hantaner.a.worm (McAfee), W32.HLLP.Handy (Symantec), W32/Hantaner (Avira), W32/Hantaner-A (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Medium

Description: 

This virus infects .EXE files in the Kazaa and the Internet Explorer download folder. By infecting files in the Kazaa shared folder, it is able to spread via the popular peer-to-peer file-sharing network.

This virus contains a bug that causes it to corrupt some files during infection. It attempts to delete uncommon files, such as 010101.DAT and Hanta, from the Windows folder. These files are likely non-existent on most systems.

This virus runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Dec. 27, 2002 7:05:57 AM GMT -0800
Description updated: Apr. 5, 2003 6:56:11 AM GMT -0800


TECHNICAL DETAILS


Size of malware: UPX compressed � 42,318 Bytes
Decompressed � 65,358 Bytes

Initial samples received on: Dec 27, 2002

Payload 1: Deletes uncommon files

Details:

This virus usually arrives as UPX-compressed code prepended to a host file. When the infected file is run, this virus begins its infection routine.

Infection Routine

After decompressing its code, it locates the shared folder of the KaZaa file-sharing program by checking the following registry entry:

HKEY_CURRENT_USER\Software\KaZaa\Transfer
DlDir0

If it does not find the registry entry, it checks another entry, �DownloadDir�, from the same registry key to obtain the Kazaa shared folder.

It also locates the Internet Explorer download directory by checking the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Download Directory

This virus then locates all .EXE files in the Internet Explorer download directory and the Kazaa shared folder and infects the files as they are found. It infects by prepending its UPX-compressed code to the host files.

If none of the target folders exist, it simply terminates.

This virus contains a bug that causes it to corrupt some files during infection.

Payload

This virus attempts to delete uncommon files, such as 010101.DAT and Hanta, from the Windows folder. These files are likely non-existent on most systems.

Other Details

The following text strings can be found in this virus' body:

HANTA-Vjoiner ,si que lo hice yo,
ErGrone/GEDZAC...

eso va para los
se

oritos de PER, en especial a Machado, que no tiene la
educaci
n necesaria para responder un E-
Mail.

y para los que se enojaron con CPL, jeje, pa que ocupan Hotmail!!!,
teniendo miles de mailbox gratis y con mas espacio.
la Heuristica y contra una
t

cnica antigua JoJOjOO-Escrito en Delphi 6!-


SOLUTION


Minimum scan engine version needed: 5.200

Pattern file needed: 1.412.00

Pattern release date: Dec 27, 2002


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and clean all files detected as PE_HANTANER.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.