Description
Win32.Hazafi.30720 is a vius which infecs computers running under OSs Windows. The size of the program module of the virus packed with FSG compression utility is 12, 800 bytes.
The virus propagates via e-mail, shared resources and file-sharing network, copying itself to the shared folders of such networks..
It terminates several system processes. Launches DoS-attacks against certain web-sites in Hungary. Infects executable (.EXE-files) overwriting them with its malicious copy, which makes running certain programs, most of them are antivirus, impossible.
Launching
The virus is activated by a user by opening the viral attachment.
The worm points to its copy in the system registry entry
HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\
CurrentVersion\\\\\\\\Run
by adding the value _Hazafibb
It also creates its own entry in the registry
HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\_Hazafibb
Spreading
To propagate on the Internet via the e-mail, in search of e-mail addresses for its dissemination the virus scans the local Windows Address Book and files on drives from C to H with have the following extensions
htm wab txt dbx tbb asp php sht adb mbx eml pmrThe addresses with the following sequences of symbols are excluded from the search:
win use info help admi webm micro msn hotm suppor syma vir trend panda yaho cafee sopho google kasperFor distribution the virus uses its own SMTP engine. The sender’s address is spoofed. Depending on the country to which the virus sends the message with the viral copy attached to it, the text accompanying such message will depend upon the national language of such country. The attachment may have extension .exe, .com or .pif.
To secure its propagation across file-sharing networks the virus scans the hard drives of the affected system in search of folders with \\\\\\\"share\\\\\\\" or \\\\\\\"upload\\\\\\\" in their names and copies itself there as winamp 7.0 full_install.exe and Total Commander 7.0 full_install.exe.
Action
To avoid repeated infection of the system with its copies the worm creates a mutex called _Hazafibb. It drops two files to the Windows\\\\\\\\System folder (in Windows 9x/ME it’s C:\\\\\\\\Windows\\\\\\\\System, in Windows NT/2000 it’s C:\\\\\\\\WINNT\\\\\\\\System32, in Windows XP it’s C:\\\\\\\\Windows\\\\\\\\System32). The names of these files are composed of eight random characters and.exe or .dll extension. Several more files, also randomly named and with .dll extension, are placed by the virus to the same System folder. The virus stores in them the e-mail addresses stolen in the system.
The virus infects executable files (.EXE-файлы). The content of the original file is deleted and instead of it the copy of the virus is placed, retaining the same name of the file.
The virus runs a default browser and opens some link already visited by the users of the infected machine. The links are randomly chosen Ссылки выбираются from the following key
HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\TypedURLs
The virus terminates the following system processes
regedit msconfig task