Aliases: W32/Hardoc-A, W32/Hardoc@MM, Win32.Hardoc.A
Variants: hardoc, WORM_HARDOC.A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: North and South America, Africa, Asia, Europe, Australia
Removal: Easy
Platform: W32
Discovered: 10 Jul 2004
Damage: Low

Characteristics: As a type of mass mailing Worm, it is widely believed that an infection from the W32.Hardoc@mm malware comes from spiked email messages. This is primarily because it makes use of the entries in the Windows Address Book to find potential targets where it can send its malicious codes. The Worm exploits Multipurpose Internet Mail Extension vulnerabilities to automatically initiate an infection on any vulnerable computer system.

More details about W32.Hardoc@mm

A computer system infected with the W32.Hardoc@mm Worm would initially experience the display of a bogus message box that informs the user that there is not enough available memory in the machine. The malware would attempt to make the message box look as authentic as possible by using "Error" as title and placing an OK button that the user can click on to close the message box. The W32.Hardoc@mm at this point is already creating a copy of itself using an executable file format. It will create a new key value in the Windows Registry which it will associate with its executable file. This new entry will provide the W32.Hardoc@mm with the ability to launch each time the infected machine is powered up or rebooted.

After the W32.Hardoc@mm has successfully installed its executable file and created its Windows Registry key, it will proceed to harvest the contents of the Windows Address Book in an attempt to begin its propagation routine. Since the W32.Hardoc@mm has a built-in Simple Mail Transfer Protocol engine, it is capable of sending email messages discretely to the target computer systems. The email messages usually contain the text "!!! Power Point !!!" in the body of the message. The W32.Hardoc@mm will attach a file that is disguised as a screensaver but in actuality contains the malware's codes.