W32.Hiton@mm

Printer Friendly Page

Discovered: March 02, 2004
Updated: February 13, 2007 12:18:26 PM
Also Known As: W32/Hiton.a@MM [McAfee], WORM_HITON.A [Trend], Win32.Hiton.A [Computer Associ
Type: Worm
Systems Affected: Windows


W32.Hiton@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses that it finds on an infected computer.

The worm spoofs the From field of the email. The attachment can have a .bat, .exe, .pif, .scr, or .zip file extension.

Antivirus Protection Dates

  • Initial Rapid Release version March 02, 2004
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version March 02, 2004
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date March 02, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Yana Liu

Discovered: March 02, 2004
Updated: February 13, 2007 12:18:26 PM
Also Known As: W32/Hiton.a@MM [McAfee], WORM_HITON.A [Trend], Win32.Hiton.A [Computer Associ
Type: Worm
Systems Affected: Windows


When W32.Hiton@mm runs, it does the following:

  1. Copies itself as %Windir%\Svchost.exe.


    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Creates the file, %System%\Mssvc.dll (44,036 bytes).


    Note: %System% is a variable. The worm locates the System folder and copies itself component to this location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Adds the value:

    "Service Host Driver"="%Windir%\svchost.exe"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  4. Adds the value:

    "(Default)" = "%System%\mssvc.dll"

    to the registry key:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
    InProcServer32

    so that Explorer.exe loads Mssvc.dll.

  5. Adds the value:

    "AutoRun"= "%Windir%svchost.exe"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Command Processor

  6. Creates the following files:
    • %System%\Wsick32.dll, which the worm uses to store email addresses it finds in an infected computer.
    • %System%\wsuck32.dll, which is a text file.

  7. May overwrite any line in one of the following files:
    • %System%\Drivers\etc\Hosts (When running on Windows NT/2000/XP)
    • %Windir%\Hosts.sam (When running on Windows 95/98/Me)

      if the line contains any of the following strings:

    • grisoft
    • nai
    • networkassociates
    • vil.nai
    • nod32
    • bitdefender
    • f-secure
    • securityresponse.symantec
    • vsantivirus
    • openantivirus
    • norman
    • f-prot
    • ravantivirus
    • kaspersky
    • sarc
    • sophos
    • pandasoftware
    • antivirus
    • mcafee
    • trendmicro
    • symantec

  8. May create the folder:

    %Windir%\{21EC2020-3AEA-1069-A2DD-08002B30309D}


    and copy itself to this folder. The folder's attributes are set to Hidden and System. The file name can be any of the following:

    • Wakeboard Unleashed
    • Veritas Backup Exec V91
    • ScanSoft OmniPage v14 Office
    • PowerDVD 5 Deluxe
    • Pinnacle Studio v9 Multilanguage
    • Symantec Norton Anti Spam 2004 Enterprise
    • Symantec Norton Anti Virus 2004 Enterprise
    • Symantec Norton Systemworks 2004 Enterprise
    • School Tycoon
    • Point of Attack 2
    • Onimusha
    • Nero_Burning_Rom_6_0_0_1_9
    • Microsoft Windows XP Media Center Edition 2004
    • Microsoft Windows XP SP2 No Activation
    • Microsoft Windows Server 2003
    • Microsoft Technet 2004
    • Microsoft Systems Management Server 2003
    • Microsoft Office NET
    • MCAfee Internet Security 6
    • L'Entraineur 4 Saison 2003-2004 Multilangue
    • Legacy of Kain - Defiance
    • Leadtools Multimedia Imaging Suite
    • Jack The Ripper
    • InstallShield DevStudio 9 SP1
    • Counter Strike - Condition Zero Online
    • Geomagic Studio V6
    • FIFA Football 2004
    • Easy CD Creator 7
    • Deep Sea Tycoon
    • Dead to Rights
    • Cyberlink PowerProducer 2 Gold
    • Borland C++ Builder X Enterprise
    • Borland JBuilder X Enterprise
    • Borland Delphi 8 Enterprise
    • AutoCAD Mechanical 2004 DX
    • Adobe Illustrator CS
    • Adobe InCopy CS
    • Adobe Atmosphere 1.0

      followed by one of these:

    • Keygen
    • Crack

      followed by one of these:

    • <blank>
    • .exe
    • .zip.pif
    • .scr

  9. Locates the following folders through registry keys:
    • ICQ directory
    • eDonkey2000 and eMule directories
    • The email directory of The Bat!
    • Current user's email application directory
    • Current user's application data directory and personal directory

  10. Retrieves email addresses from the files in these folders if the files have the following extensions:
    • .eml
    • .txt
    • .dbx
    • .hlp
    • .mht
    • .wab
    • .tbb
    • .htm

  11. Use its own SMTP engine to send itself to all the email addresses it finds. The email has the following characteristics:

    From: <spoofed>

    Subject: The subject is one of the following,
    • TONA, you have to see this!
    • hey wuts up?
    • hey wuts up TONA?
    • Very funny
    • Useful
    • Happy Times :)
    • gift for you TONA :)
    • Attatchments
    • Hiiiiiii TONA
    • Hiiiiiii
    • Wait for more :)
    • elegant ppl should satisfy thier taste with elegant things ;)
    • heyyy TONA
    • heyyy
    • Heyyyyyyyy Lola Wussaaap??
    • Another one?
    • Hey Wussap?
    • Hey I thought you trusted me but ...
    • unknown
    • fake
    • leaked
    • stolen
    • information for you, TONA
    • information
    • warning
    • something for you
    • read it immediately
    • Undeliverable mail --
    • Server Report
    • Status
    • Returned mail --
    • Mail Delivery System
    • La Transazione Della Posta + venuto a mancare
    • La Transaction De Courrier A TchouT
    • Mail Transaction Failed
    • here|s the document you requested
    • here|s the document
    • Pr0n!
    • Here|s a nice Picture
    • here|s the archive you requested
    • New Internal Rls...
    • Do not release, its the internal rls!
    • hola TONA
    • hola
    • hello TONA
    • hello
    • hi TONA
    • Error
    • Ciao TONA
    • Ciao
    • Darling
    • Congratulations TONA!

    Message: The message is one of the following:
    • i found this amazing file in my Recycled , i know u love this kind of things ;)ONCRcyaaa
    • Hummm , i hope u accept this show as an apology.ONCRsave it for hard times
    • i will be waiting for u emaill to remind me of your self.
    • i'm fine , thanx for asking :) ONCRand thanx for the nice attachements.ONCRbut unfortunately, i don't remember you
    • you seem to be mad @ me coz i didn't send u anything for along time,ONCRi didn't forget u , but i was kinda busy , i've got all of ur emailsONCRthanx :) and i hope u accept this one as an apology.
    • i've got this surprise from a friend :)ONCRit really deserves a few minutes of your time.ONCRNever mind !
    • i thing the subject is enough to describe the attached file !ONCRcheck it out and replay your opinion
    • heyyyy i tried many times to send u this email but ur account was out of storage as i thinkONCRany way , make sure that i didn't and i won't forget u :)ONCRCya Forgotten :P
    • I've got your email , but you forgot to upload the attachments.ONCRDon't be selfish , i sent you all the files i have, send me anything :(
    • i just wanted to say sorry for last nightONCRand .. i wish u accept this as an apologyONCRbye dear
    • I can't be online tonight :(anyway , i sent u something u r gonna love ;)ONCRcya tomorrow
    • i lost FRNA's Email plzz send this file to her :)ONCRand tell her i can't be online tonightONCRBye
    • YO TONA , IM SICK OF UR EMAILS , IF U LOSE IT AGAIN I WONT GIVE IT TO U, SAVE ITONCRBYEEE
    • I forgot to tell u , the other file is with FRNA:) bye
    • Heyyyy TONAI lost the other email , anyway i sent u all u needONCRi have just got it , plz tell me if u need more.bye
    • Here is the FRNA ;) Dont tell Sam abt itONCRCya
    • i haven't ever thought i should send u my briefcase to gain ur Trust.ONCRHave it all :) bye
    • HEY TONA, call FRNA a virus text stealer =)
    • Hi TONA its FRNA.ONCRONCRI was shocked, when I found out that it wasn't you but your twin brother,ONCRthat's amazing, you're as like as two peas. No one in bed is better thanONCRyou TONA. I remember, I remember everything very well, that promised youONCRto tell how it was, I'll give you a call today after 9. He took my skirtONCRoff, then my panties, then my bra, he sucked my t**s, with the same furyONCRyou do it. He was writing alphabet on my pussy for 20 minutes, thenONCRsuddenly stopped, put me in doggy style position and stuck his dagger.ONCRBut TONA, why didn't you warn me that his dick is 15 inches long? I wasONCRstruck, we fucked whole night. I'm so thankful to you, for acquainted meONCRto your brother. I think we can do it on the next Saturday all threeONCRtogether? What do you think? O yes, as you wanted I've made a few picturesONCRcheck them out in archive, I hope they will excite you, and you will dreamONCRof our new meeting...ONCRONCRGreetz FRNA
    • something is fool
    • something is going wrong
    • you are bad
    • you try to steal
    • you feel the same
    • you earn money
    • misc
    • thats wrong
    • why?
    • take it easy
    • reply
    • do you?
    • that's funny
    • here, the cheats
    • here, the introduction
    • here, the serials
    • from the chatter
    • about me
    • information about you
    • something is going wrong!
    • stuff about you?
    • greetings
    • see you
    • here it is
    • that is bad
    • yes, really?
    • i found this document about you
    • your name is wrong
    • i hope it is not true!
    • kill the writer of this document!
    • something about you!
    • I have your password!
    • you are a bad writer
    • is that from you?
    • i wait for a reply!
    • is that your account?
    • is that your name?
    • is that true?
    • here
    • my hero
    • read it immediately!
    • here is the document.
    • read the details.
    • i'm waiting
    • ok
    • what does it mean?
    • anything ok?
    • Have a look at the attatchment.
    • That|s the answer to all your questions.
    • Here|s the document that you had requested.
    • Have a look the Pic attached !!
    • Real outtakes from Sex in the City!!ONCRAdult content!!! Use with parental advisory =)
    • Send me your comments.
    • The Archive is attached...
    • I have a document attached,ONCRwhich should solve your problems.
    • See the attached file for details.
    • Mail transaction failed. Partial message is available.
    • The message cannot be represented in 7-bit ASCII encodingONCRand has been sent as a binary attachment.
    • The message contains Unicode charactersONCRand has been sent as a binary attachment.
    • The message contains MIME-encoded graphicsONCRand has been sent as a binary attachment.
    • sendmail daemon reported: Error #804 occured during SMTP session.ONCRPartial message has been received.

    Attachment: The attachment is one of the following:
    • misc
    • party
    • disco
    • part2
    • mail2
    • object
    • ranking
    • dinner
    • release
    • final
    • location
    • jokes
    • friend
    • website
    • mails
    • story
    • found
    • nomoney
    • aboutyou
    • shower
    • ps
    • topseller
    • product
    • swimmingpool
    • bill
    • note
    • information
    • concert
    • textfile
    • posting
    • stuff
    • me
    • attachment
    • details
    • creditcard
    • message
    • talk
    • doc
    • msg
    • mail
    • body
    • document

    followed by one of the following
    • .exe
    • .scr
    • .bat
    • .pif

    The worm may also send a zip archive as an attachment.



Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Yana Liu

Discovered: March 02, 2004
Updated: February 13, 2007 12:18:26 PM
Also Known As: W32/Hiton.a@MM [McAfee], WORM_HITON.A [Trend], Win32.Hiton.A [Computer Associ
Type: Worm
Systems Affected: Windows


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected as W32.Hiton@mm.
  4. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder ," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected withW32.Hiton@mm, click Delete.

4. Deleting the value from the registry


WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  4. In the right pane, delete the value:

    "Service Host Driver"="%Windir%\svchost.exe"

  5. Navigate to the key:

    HKEY_CURRENT_USER\Software\Microsoft\Command Processor

  6. In the right pane, delete the value:

    "AutoRun"= "%Windir%svchost.exe"

  7. Navigate to the key:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

  8. In the right pane, double-click (Default)

  9. Change the Value data to one of the following:

    Windows NT/2000/XP:

    %SystemRoot%\System32\webcheck.dll

    Windows 95/98/Me:

    C:\Windows\System\webcheck.dll"

  10. Exit the Registry Editor.



Writeup By: Yana Liu