Win32/Himan [Threat Name] go to Threat
Win32/Himan.A [Threat Variant Name]
Category | worm |
Size | 32256 B |
Aliases | Email-Worm.Win32.HiMan (Kaspersky) |
Backdoor.Shellbot (Symantec) | |
Win32.HLLM.Himan (Dr.Web) |
Short description
Win32/Himan.A is a worm which tries to download other malware from the Internet. The worm can be used for sending spam.
Installation
The worm does not create any copies of itself.
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "WindowsUpdate" = "%malwarefilepath%"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "WindowsUpdate" = "%malwarefilepath%"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion]
- "ProductBuild" = "0|0|192.168.1.107:2500|500,2,60,10,50,3"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
- "ProductBuild" = "0|0|192.168.1.107:2500|500,2,60,10,50,3"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "AntiVirusDisableNotify" = 1
- "FirewallDisableNotify" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
- "EnableFirewall" = 0
The worm may create the following files:
- C:\log\__sm.txt
- C:\log\__log.txt
- C:\log\config.bot
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a URL address. The TCP, SMTP protocol is used in the communication.
It may perform the following actions:
- send mail
- download files from a remote computer and/or the Internet
- run executable files
The worm may create the following files:
- %temp%\%number%.exe
- %windir%\%number%.exe
The %number% represents a random number.