W32.HLLW.Antinny.G

Printer Friendly Page

Discovered: March 19, 2004
Updated: March 21, 2004 12:58:12 AM
Systems Affected: Windows

W32.HLLW.Antinny.G is a variant of W32.HLLW.Antinny, a simple worm that propagates through a Japanese peer-to-peer file-sharing application called Winny. This variant is more malicious than variant E and the original Antinny. It attempts to delete all files on the C drive and attempts to leak sensitive personal information to the filesharing network.


Discovered: March 19, 2004
Updated: March 21, 2004 12:58:12 AM
Systems Affected: Windows

W32.HLLW.Antinny.G is a variant of W32.HLLW.Antinny, a worm that propagates through the Winny peer-to-peer file-sharing network. When the worm is executed, it displays a fake error message and creates the following copy of itself in a randomly chosen folder with one of the following filenames:

Svchost.exe
Spoolsv.exe
Explorer.exe
Winlogon.exe
Explorer.exe

It then creates a randomly named copy of itself using the name of a file on the system (chosen randomly) and adding random characters to it. This file will be created in the same directory as the original file.

It then creates the following registry entry to launch this randomly named file every time Windows starts:

"[randomly chosen program name]"="[path to worm]" [/logon, /start, /autorun or /startup]

To registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The worm then attempts to delete files on the C drive. Following that, it overwrites %Windir%\Regedit.exe and %System%\Regedt32.exe with Notepad.exe. It then attempts to collect personal information by reading name, organization and e-mail address values from the registry. This information is stored in a text file.

The worm then creates a copy of itself in the Winny upload or download directory, selecting one of several hardcoded Japanese strings as its filename. It then creates a HTML file that will execute the worm if clicked. The HTML file will have a .htm or .folder extension and a standard Windows icon. The worm then stores screen captures in the Winny upload or download directory.

Finally, the worm will create a .zip or .lzh archive containing the personal information and, possibly, a copy of itself and the HTML file and screen capture image files. The archive will be stored in the Winny upload or download directory.