W32.Hoots


Aliases: W32/Hoots.worm, WORM_HOOTS.A
Variants: W32/Hoots-A, W32/Hoot.a

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 12 May 2006
Damage: Low

Characteristics: The presence of the W32.Hoots in an infected computer system is normally attributed to poorly protected network shares. This means that this network aware Worm preys on network environments to spread its codes. There is a distinct possibility though that it has entered a vulnerable machine via some other transport mechanism like spiked email messages or malicious websites. It also has the capability of manipulating resources like network printers.

More details about W32.Hoots

Unlike most Worm variants in the computer industry, this malware primarily delivers its file components into the computer user's start menu and the root directory of the main hard drive. The file components of the W32.Hoots consists mainly of an RLY, EXE, and BAT format files which are all used to allow it to deliver its payload. Majority of computer experts believe that this Worm does not contain any destructive payload. The W32.Hoots has been observed to take control of a defined network printer and attempt to print a picture of an owl. The names of the network printers are normally encoded into the W32.Hoots codes. This means that network printers which are not on the list may be spared from its payload delivery routine.

The printing of the owl picture with the text "O RLY?" on the network printer is the main payload delivery routine of the W32.Hoots. Once it has been completed, it will begin with its propagation routine. The W32.Hoots will attempt to place a copy of its file components into the shared network drives it has identified. To gain access to protected network shares, the W32.Hoots makes use of the Administrator Username coupled with the text p3pp3r as its password. This Worm was designed with a time lapse mechanism which prevents it from spreading if the date is beyond May 10.