Win32/Habaku [Threat Name] go to Threat

Win32/Habaku.B [Threat Variant Name]

Category worm
Size 53248 B
Detection created Dec 05, 2003
Detection database version 1572
Aliases W32.HLLW.Habaku (Symantec)
  W32/Habaku!p2p (McAfee)
Short description

Win32/Habaku.B is a worm that spreads via P2P networks.

Installation

When executed the worm copies itself in the following locations:

  • C:\­WINDOWS\­VmmReg32.exe
  • C:\­Progra~1\­Intern~1\­IEXPLORE.exe
  • C:\­Progra~1\­Micros~1\­Office~1\­WINWORD.EXE
  • C:\­Progra~1\­Micros~1\­Office~1\­EXCEL.EXE
  • C:\­Progra~1\­Micros~1\­Office~1\­POWERPNT.EXE
  • C:\­Progra~1\­Micros~1\­Office~1\­GRAPH.EXE
  • C:\­Progra~1\­Micros~1\­Office~1\­OSA.EXE
  • C:\­Progra~1\­Adobe\­Acroba~1\­Reader\­AcroRd32.exe

The following files are dropped:

  • %currentfolder%\­Habakkuk24.bat (5409 B)
  • C:\­Docume~1\­AllUse~1\­StartM~1\­Programs\­Startup\­Autoexec.vbs (79 B)
Spreading via P2P networks

Win32/Habaku.B may be spread via peer-to-peer networks.


The worm creates copies of itself in folders accesed by the following application:

  • Kazaa

The worm copies itself to the following locations:

  • C:\­Progra~1\­Kazaa\­MyShar~1\­Naked Chic.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Stripsaver.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Porn.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Porn Game.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Hot Sex.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Lolita Sex.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­XXX.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Child Porn.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Kiddie Porn.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­HOT anal sex Teen under 18.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Hardcore Sex.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Adult Fun.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Hitman 2 - Silent Assassan.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Hitman - Codename 47.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Adobe Photoshop 7.0.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Jasc Paint Shop Pro 7.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­The Sims Classic.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­The Sims Hot Date Expansion Pack.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­The Sims House Party Expansion.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­The Sims Unleashed.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­The Sims Beach Party.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Unreal Tournament.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Microsoft Visual C++ with keygen.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Microsoft Visual Studio.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Borland Turbo C++.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Sims House Party.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­AdsGone 2003.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Popup Blocker.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­HOT Milf Deepthroat.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Orgy Cumeaters drinking cum assfuck.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Beastiality dog fuck.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Woman sucks horse dick.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Sheepfucker.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Woman has sex with dog.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Matrix Reloaded REAL VERSION [DIVX].exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­iMesh v3.2.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Winamp v2.81 Setup.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­XXX.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Roxio Easy CD Creater 5.0.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­kmd.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Norton Antivirus 7.6 CE with Serial.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Norton Antivirus Professional Edition and keygen.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­McAfee Antivirus 7.0 and serial.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­AVG FREE Antivirus v4.25.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­DVD to Avi.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Mp3 Converter.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­Blaze Media Pro 2003 serial.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­eBooks - How to make MONEY fast.exe
  • C:\­Progra~1\­Kazaa\­MyShar~1\­FREE porn password maker.exe
Payload information

Win32/Habaku.B is a worm that deletes files in specific folders.


The worm deletes files, that contain one of the following strings in their name:

  • C:\­Progra~1\­Micros~1\­Office~1\­*a*
  • C:\­Progra~1\­Micros~1\­Office~1\­*e*
  • C:\­Progra~1\­Micros~1\­Office~1\­*i*
  • C:\­Progra~1\­Micros~1\­Office~1\­*o*
  • C:\­Progra~1\­Micros~1\­Office~1\­*u*
  • C:\­Progra~1\­Micros~1\­Office~1\­*y*
  • C:\­Progra~1\­Micros~1\­Office~1\­*l*
  • C:\­Progra~1\­AIM95\­*a*
  • C:\­Progra~1\­AIM95\­*e*
  • C:\­Progra~1\­AIM95\­*i*
  • C:\­Progra~1\­AIM95\­*o*
  • C:\­Progra~1\­AIM95\­*u*
  • C:\­Progra~1\­AIM95\­*y*
  • C:\­Progra~1\­AIM95\­*l*
Other information

The worm may execute the following commands:

  • C:\­WINDOWS\­SYSTEM32\­rundll32.exe keyboard,disable
  • C:\­WINDOWS\­SYSTEM32\­rundll32.exe mouse,disable
  • C:\­WINDOWS\­rundll.exe keyboard,disable
  • C:\­WINDOWS\­rundll.exe mouse,disable

The worm blocks keyboard and mouse input.


The worm displays a window titled Virus Alert! that contains the following text:

  • You are infected with the Habakkuk [2:4] virus!

The following text is displayed:

  • How long, O LORD, must I call for help,
  • but you do not listen?
  • Or cry out to you, "Violence!"
  • but you do not save?
  • Why do you make me look at injustice?
  • Why do you tolerate wrong?
  • Destruction and violence are before me;
  • there is strife, and conflict abounds.
  • Therefore the law is paralyzed,
  • and justice never prevails.
  • Habakkuk[2:4]

Please enable Javascript to ensure correct displaying of this content and refresh this page.