W32.Hawawi.Worm


Aliases: WORM_HOLAR.D, WORM_HOLAR.E, I-Worm.Hawawi.e, Win32.Holar.F
Variants: I-Worm.Hawawi, W32/Holar.d@MM, W32/Holar.e@MM, W32/Holar.h@MM

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 19 Mar 2003
Damage: Medium

Characteristics: The W32.Hawawi.Worm makes use of Internet paging clients and Instant Messaging applications to distribute itself across the Internet. It is also capable of sending spiked email messages because it is designed with its own Simple Mail Transfer Protocol engine. The Worm makes use of predefined subject lines and includes a PIF format file attachment. Like most Worm variants, it deceives the recipient into clicking on its file attachment to deliver its payload

More details about W32.Hawawi.Worm

Aside from the directory folder where the operating system is located, this malware also attacks the temporary and root directories of the infected hard drive in the compromised machine. The W32.Hawawi.Worm will place a text file on the root directory, an executable file in the temporary directory, and two executable files accompanied by a Dynamic Link Library file in the operating system's folder. Appropriate Windows Registry key values will be assigned by the W32.Hawawi.Worm to its executable files to establish itself in the infected computer system. It will share the contents of the operating system's folder using a Peer to Peer file sharing application. The W32.Hawawi.Worm will also share various program information file formats that are intentionally meant to disguise their true nature.

The email routine for the W32.Hawawi.Worm which makes use of its built-in Simple Mail Transfer Protocol engine can scan for the contents of the From address or use predefined addresses hard coded into the malware. The subject lines and message body appear to be randomly selected from a list that has also been coded by the malicious author into the malware. As much as possible the W32.Hawawi.Worm will attempt to give the email message an air of authenticity to prevent the recipient from suspecting that it is spiked. Files attacked by the W32.Hawawi.Worm will be overwritten with zero bytes making them unusable.