W32.Huayu


Aliases: Bloodhound.Exploit.8, Worm.Win32.Huayu.a, Worm/Zusha.A, W32/Huayu.A.worm
Variants: Exploit-DcomRpc.gen, WORM_HUAYU.A, Worm/VC.B, NewHeur_PE

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: North and South America, Asia, Europe
Removal: Hard
Platform: W32
Discovered: 24 Oct 2004
Damage: Medium

Characteristics: This Worm variant is capable of opening an unsecured backdoor on the compromised machine. It has been discovered to exploit the LSASS Buffer Overrun vulnerability of the operating system. The W32.Huayu has a specific propagation routine which is based on the Internet Protocol address of the target computer system. Primarily it will only trigger an infection if the Internet Protocol address is from 211.159.93.0 to 211.159.93.255

More details about W32.Huayu

The successful entry of the W32.Huayu Worm into a vulnerable computer system will cause the creation of an executable file in the operating system's directory. This file which closely resembles a legitimate system process is actually the trigger file of the Worm. After successfully dropping the executable file into the infected computer system it will append new key values into the Windows Registry service. The new key values which point to the executable file of the W32.Huayu Worm also allows it to load automatically on system boot up right after the operating system. The W32.Huayu will send a notification alert to a specific address in the domain of a popular Web mail host server that is located in Canada.

The backdoor functionality of the W32.Huayu is established using the TCP port 887 on the host computer system. The LSASS Buffer Overrun vulnerability of the operating system is exploited by this Worm using a technique which allows it to scan for an Internet Protocol address in a specific range. If the W32.Huayu succeed in exploiting the vulnerability, the remote machine will connect to a predetermined Internet address using File Transfer Protocol. The hard coded Internet address is the location where the copy of the Worm's codes are stored. The W32.Huayu file will be downloaded into the location of the program files in the hard drive.