W32.Haytap@mm


Aliases: W32.Fakepatch@mm, W32/Haytap@MM
Variants: Email-Worm.Win32.Small.a

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 30 Apr 2006
Damage: Low

Characteristics: This specific computer system threat is identified in most reports as a type of mass mailing Worm. The W32.Haytap@mm has been observed to take advantage of certain vulnerabilities found in Instant Messaging clients allowing it to use the application as a transport mechanism. The Worm would normally harvest the contents of the computer user's contact list and attempts to send its codes directly to these remote machines.

More details about W32.Haytap@mm

On the initial execution of the W32.Haytap@mm malware, it will attempt to drop an executable file into the root directory of the target computer system. Some reports indicate that the newly created file may carry a hidden attribute to protect it from being deleted by the computer user. This routine is contrary to the common practice of other Worn variants that normally attack the directory folder of the operating system and use it as a storage location. After successfully writing its executable file the W32.Haytap@mm will proceed to append a key value for its EXE format file in the Windows Registry. The W32.Haytap@mm Worm will also use the Windows Registry to attain automatic startup status allowing it to be loaded simultaneously with the operating system.

When the W32.Haytap@mm successfully installs itself into the compromised computer system it will immediately attempt to collect all user names in the contact list of the Instant Messaging application. The W32.Haytap@mm will use these names as the basis for the sending of spiked email messages. The malware will normally append the domain associated with the Instant Messaging client to complete the email address of the recipient. The subject line would normally state that the attachment is an important program upload. The W32.Haytap@mm will always include an executable file attachment to every email message sent out.