Email-Worm.Win32.Heyya

Class Email-Worm
Platform Win32
Description

Technical Details

This is worm virus spreading being attached to Email messages, through IRC channels, infecting PE EXE files (Win32 executable files), VBS files and incorporating its copies to RAR and ARJ archives. The worm itself is Win32
executable file about 28Kb of length, and it infects Win32 machines only.

The worm has many bugs and in most of cases crash the system or corrupt files while infecting them.

Installing

When infected file is run, the worm copies itself to Windows system directory with one of the names randomly selects from following list depending on current day:

napster.exe
newbillgates.exe
HonNaCigana2.exe
FreeSoftGSM.exe
game.exe
call.exe

To access that copy later by its name the worm stores that name in Registry key:

HKLMSOFTWAREInfluenzaLab
MicrosoftOE = %wormname%

where %wormname% is the file name of worm copy (it will be used below as well).

The worm also copies itself to Windows directory with PornoChat.exe name and registers that file in Registry auto-run key:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
MicrosoftOE = %WinDir%PornoChat.exe

Updating

The worm is able to update itself. To do that it sets start page for MS Internet Explorer to “www.volny.cz/radix16/flu/update.gif”. As a result on
each Internet Explorer that GIF file is downloaded to affected machine. The worm then copies that file with C:updateFLU.gif name and processes it.

That can be not usual GIF image file – the worm looks for data that is attached to main GIF image data. The attached data has special format. It may contain a list of email addresses (it is stored to C:Heyya.txt file and is used later) and/or EXE file image.