Win32/Hadra [Threat Name] go to Threat

Win32/Hadra.A [Threat Variant Name]

Category worm
Size 12249 B
Aliases Email-Worm.Win32.Hadra (Kaspersky)
  Worm:Win32/Fobluda.A@mm (Microsoft)
  W32.Hyd@mm (Symantec)
Short description

Win32/Hadra.A is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­msserv.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "msservice" = "%windir%\­msserv.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "msservice" = "%windir%\­msserv.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "msservice" = "%windir%\­msserv.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "msservice" = "%windir%\­msserv.exe"
Spreading via e-mail

Win32/Hadra.A is a worm that spreads via e-mail.


The worm affects the behavior of the following applications:

  • Microsoft Outlook

When an e-mail is composed on the infected system, the worm can attach a copy of itself to the message.


The attachment is an executable of the worm.


Body of the message may start with one of the following:

  • [I-Worm.Hydra] ...by g1_st0rm of [mions]
Other information

The worm terminates various security related applications.


The worm terminates any program that creates a window containing any of the following strings in its name:

  • AVP Monitor
  • AntiVir
  • Vshwin
  • F-STOPW
  • F-Secure
  • vettray
  • InoculateIT
  • Norman Virus Control
  • navpw32
  • Norton AntiVirus
  • Iomon98
  • AVG
  • NOD32
  • Dr.Web
  • Amon
  • Trend PC-cillin
  • File Monitor
  • Registry Monitor
  • Registry Editor
  • Task Manager

Win32/Hadra.A installs the following software:

  • SETI

The worm contains a list of (5) URLs.


It tries to download a file from the addresses. The FTP protocol is used.


The file is stored in the following location:

  • %windir%\­msseti.exe

The following files are dropped:

  • %windir%\­user_info.sah
  • %windir%\­version.sah
  • %windir%\­msseti.pif
  • %windir%\­run_msseti.vbs
  • %windir%\­msseti.bat

The worm executes the following files:

  • %windir%\­run_msseti.vbs

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "msseti" = "WScript.exe %windir%\­run_msseti.vbs"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunServices]
    • "msseti" = "WScript.exe %windir%\­run_msseti.vbs"

This way the worm ensures that the file is executed on every system start.


The worm attempts to delete the following file:

  • %windir%\­system\­Msconfig.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.