W32.HLLW.Cake

Printer Friendly Page

Discovered: September 09, 2003
Updated: September 10, 2003 6:19:23 PM
Systems Affected: Windows

W32.HLLW.Cake is a simple worm that propagates by sharing itself on the Kazaa and Grokster file-sharing networks.

Discovered: September 09, 2003
Updated: September 10, 2003 6:19:23 PM
Systems Affected: Windows

W32.HLLW.Cake is a worm that uses the Kazaa and Grokster peer-to-peer file-sharing networks to propagate.

When the worm is executed, it creates the following copy of itself:
%Windir%\WinSth16.exe

It then adds the following values to registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

"WinSth16"="%Windir%\WinSth16.exe"
"DlDir1"="%Windir%\Fonts\caKe"
"Dir1"="%Windir%\Fonts\caKe"

Next, the worm modifies registry key HKEY_CURRENT\USER\Software\Kazaa\Transfer to add the following value:

"DlDir1"="%Windir%\Fonts\caKe"

The worm then adds the value "Dir1"="%Windir%\Fonts\caKe" to the following registry keys:

HKEY_CURRENT\USER\Software\Grokster\LocalContent
HKEY_CURRENT\USER\Software\iMesh\Client\LocalContent

Next, the worm creates the folder "%Windir%\Fonts\caKe" and creates the following copies of itself there:
All Microsoft Products CD Key Generator.exe
Awesome ScreenSaver.exe
Counter Strike - See Through Walls.exe
DeadAim 4.0 KeyGen.exe
EBOOK - Learn C++ in 21Days(2).exe
FastTrack Accelerator v1.3.1.exe
FLASH MOVIE-Hot Lesbian Sex Movie (12.51 Minutes).exe
iMesh 3.7b (beta).exe
KaZaA Media Desktop 2.x Ad-Remover.exe
Microsoft .NET hack.exe
Microsoft Visual C++ 6.0 Standard Edition.exe
Mirosoft Visual C++ Serial Generator.exe
MSN Password Hacker 5.7 (worked on my ex-girlfriend!).exe
World Of Warcraft (FULL) Installer and Downloader.exe