Win32/Hakaglan [Threat Name] go to Threat

Win32/Hakaglan.AB [Threat Variant Name]

Category worm
Size 529920 B
Detection created Dec 19, 2007
Signature database version 2735
Aliases IM-Worm.Win32.Sohanad.bm (Kaspersky)
  W32/YahLover.worm.gen.virus (McAfee)
  Worm:Win32/Nuqel.A (Microsoft)
  W32.Imaut (Symantec)
Short description

Win32/Hakaglan.AB is a worm that spreads via removable media, shared folders and IM.

Installation

When executed the worm copies itself in the following locations:

  • %system%\­RVHOST.exe
  • %windir%\­RVHOST.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "Explorer.exe RVHOST.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Yahoo Messengger" = "%system%\­RVHOST.exe"

The worm schedules a task that causes the following file to be executed daily:

  • %system%\­RVHOST.exe

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NofolderOptions" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Schedule]
    • "AtTaskMaxHours" = 0

The worm executes the following commands:

  • %comspec% /c AT /delete /yes
  • %comspec% /c AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %system%\­RVHOST.exe
Spreading on removable media

Win32/Hakaglan.AB is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using the following name:

  • New Folder.exe

The worm copies itself into the existing subfolders also.


The name of the file may be based on the name of an existing file or folder. The extension of the file is .exe .

Spreading via shared folders

Win32/Hakaglan.AB is a worm that spreads via shared folders.


It copies itself into folders shared by remote machines using the following name:

  • New Folder.exe

The worm copies itself into the existing subfolders also.


The name of the file may be based on the name of an existing file or folder. The extension of the file is .exe .

Spreading via IM networks

Win32/Hakaglan.AB is a worm that spreads via IM networks.


The worm sends links to Yahoo! Messenger users.


The messages may contain any of the following texts:

  • E may, vao day coi co con nho nay ngon lam %malwareurl%
  • Vao day nghe bai nay di ban %malwareurl%
  • Biet tin gi chua, vao day coi di %malwareurl%
  • Trang Web nay coi cung hay, vao coi thu di %malwareurl%
  • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? %malwareurl%
  • Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... %malwareurl%
  • Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... %malwareurl%
  • Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... %malwareurl%
  • Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon...%malwareurl%

If the link is clicked a copy of the worm is downloaded.

Other information

The following programs are terminated:

  • game_y.exe

The worm terminates any program that creates a window containing any of the following strings in its name:

  • Bkav2006
  • System Configuration
  • Registry
  • Windows Task

The worm may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "IEProtection"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "BkavFw"

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (2) URLs. The HTTP protocol is used.


The worm tries to download and execute several files from the Internet.


These are stored in the following locations:

  • %system%\­%variable%.exe

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.