Aliases: W32/Heiku, Win32/VMalum.DAMY infection, WORM_VB.GAW, trojan:win32/malagent, Email-Worm.Win32.VB.fz
Variants: W32/[email protected]!EAA62016, Win32:Rootkit-gen, I-Worm/Brontok.KH, TR/Crypt.CFI.Gen, Generic.Malware.SMDVWksprg.A1F7A0A3

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 27 Nov 2007
Damage: Low

Characteristics: An infection from the W32.Heular malware would normally constitute a lowering of the security settings for the compromised machine. This particular malware has been observed to have the ability to spread its infection not only to logical drives attached to the host computer system but also to connected removable storage devices. The malware has been identified as a type of browser hijacker because of its functionality of modifying the default homepage of the Web browser.

More details about W32.Heular

During the initial launching of the W32.Heular Worm it will attempt to copy itself to multiple locations on the hard drive of the infected computer system. This malware may use EXE and SCR file formats for its extracted components. In majority of the instances the W32.Heular will use a variety of filenames closely associated with system processes and in other times it may create a file with a blank filename but an executable file extension. The W32.Heular will then attempt to place links to various adult websites in the Favorites folder of the Web browser. It will place a text file in the directory of the operating system. The W32.Heular will make use of the Windows Registry to establish itself into the infected computer system.

The W32.Heular will use the Windows Registry to load itself automatically on system boot up as well as disable system tools and affect the functionality of the Web browser. The W32.Heular will scan the contents of all local and removable storage devices. The attributes of folders will be set to hidden and replaced with a copy of the same name but with an EXE file extension in an attempt of the W32.Heular to deceive the user into executing its payload. The W32.Heular will place multiple executable and command files into the floppy disk as part of its propagation routine.