Discovered: March 19, 2003
Updated: February 13, 2007 11:44:39 AM
Also Known As: W32/Holar.d@MM [McAfee], W32/Holar.e@MM [McAfee], W32/Holar.h@MM [McAfee], WORM_HOLAR.D [Trend], WORM_HOLAR.E [Trend], I-Worm.Hawawi [KAV], I-Worm.Hawawi.e [KAV], Win32.Holar.F [CA]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Hawawi.Worm is a worm that spreads through email using its own SMTP server, ICQ, Yahoo Messenger, PalTalk, and KaZaA. The email message has one of many different Subject lines, such as:
- '''*< Love Speaks it all >*'''
- Co0o0o0o0oL
- Fw:
- Heeeeeeeeeeeeeeeey
- Wussaaaaaaaap?
- WoW But not for NoW
- Why Do We FOk?
The messages have an attachment with a .pif extension, usually Hawawi.pif or Hawa.pif.
W32.Hawawi.Worm has a payload of overwriting all the files that have the following extensions, with zero-byte files:
- mpeg
- rm
- wav
- sql
- mde
- php
- cpp
- swf
- ram
- mp3
- frm
- dpr
- rar
- mpg
- jpg
- pdf
- pps
- ppt
- txt
- htm
- html
- zip
- doc
- mdb
- xls
NOTE: A minor variant of W32.Hawawi.Worm was discovered on May 28, 2003. Detection for this was incorporated into the May 29, 2003 virus definitions.
Protection
-
Initial Rapid Release version March 19, 2003
-
Latest Rapid Release version August 20, 2008 revision 017
-
Initial Daily Certified version March 19, 2003
-
Latest Daily Certified version August 20, 2008 revision 016
-
Initial Weekly Certified release date March 19, 2003
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
-
Wild Level: Low
-
Number of Infections: 50 - 999
-
Number of Sites: More than 10
-
Geographical Distribution: Low
-
Threat Containment: Easy
-
Removal: Moderate
Damage
Distribution
Writeup By: Douglas Knowles
