P2P-Worm.Win32.Hofox

Class P2P-Worm
Platform Win32
Description

Technical Details

Hofox is a worm that spreads via P2P networks. Hofax is a Windows PE exe file; written in Visual Basic; about 49K in size.

During launch, the worm blocks the Norton Antivirus Auto Protect Service

Installation

Hofax registers itself as a launched application in the system registry key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunworm

It then copies itself into:

C:My shared folder under the following names:

Norton Anti-Virus 2004.exe
How To Hack.doc.exe
Win XP Pro .exe
Windows Longhorn full beta version.exe
Norton Anti-Virus keygen.exe
Hotmail H4x0r.exe
Halo – Combat Evolced.exe
DivX Pro .exe
Super Encrypt.exe
PornViewer.exe
Panda internet security.exe
Paint Shop Pro 8.exe
Paint Shop Pro 9 beta.exe
McAfee Anti-Virus.exe

C:WindowsSystem32 under the following names:

Norton Anti-Virus.exe
Halo.exe
Dunno.exe
Your Ad Here.exe
Girls Peeing.exe
Hacking is fun.exe

Program FilesAccessories/Your Gay.exe

Manifestations

Launches:

  • charmap.exe and notepad.exe
  • Internet Explorer and connects to: http://www.ratemypoo.com

Destructive behaviour

Deletes files with the following extensions:

  • *.jpg
  • *.gif
  • *.mov
  • *.mpg
  • *.mpeg
  • *.avi
  • *.doc
  • *.pdf
  • *.txt,/ul>