W32.Hiton@mm


Aliases: WORM_HITON.A, W32/Hiton.a@MM
Variants: Win32.Hiton.A, W32/Hiton.gen@MM

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 02 Mar 2004
Damage: Low

Characteristics: The W32.Hiton@mm is another member of the mass mailing Worm variant which is capable of scanning infected computer systems for the presence of email addresses. It uses the harvested email addresses to target remote machines via Simple Mail Transfer Protocol service usually by hijacking the user's email account. Normally the From line of the email message is spoofed while the file attachments vary from ZIP, EXE, PIF, SCR, or BAT file formats.

More details about W32.Hiton@mm

The initial action of the W32.Hiton@mm is to copy an instance of itself into the directory of the operating system using an executable file with a filename which closely resembles an authentic system process. It will also create an accompanying Dynamic Link Library file which may be used to hook certain application functionalities. The W32.Hiton@mm will also engage in the modification of some Windows Registry key values in order to establish itself into the host machine as well as affect the functionality of the Web browser. The Worm will create two additional Dynamic Link Library files. One of the files is used by the W32.Hiton@mm to store the email addresses it has retrieved from the infected machine while the other is a simple text file.

The W32.Hiton@mm may overwrite any contents of the Windows Host file which pertains to any website that is identified with antivirus development or system protection. The malware will create a new folder with a System and Hidden attribute. The W32.Hiton@mm will place an instance of itself into this folder using filenames that mimic legitimate antivirus applications. It will proceed to inspect the Windows Registry to find the exact location for Peer to Peer file sharing applications. The W32.Hiton@mm makes use of its own Simple Mail Transfer Protocol engine to deliver a spiked email message to the collected email addresses.