F-Secure Virus Descriptions : Hadra
This is Internet worm spreading with emails being attached as EXE
file. The worm itself is Win32 executable file about 12Kb of
length, written in VisualBasic. The worm code is compressed with
UPX Win32 EXE files compression utility, and being unpacked it
gets about 26Kb of size.
When the worm starts (when a user clicks on attached EXE file)
the worm copies itself to Windows directory with MSSERV.EXE name
and registers that file in Windows registry auto-run keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
All these "Run=" keys then have the string value that runs worm
copy on each Windows start:
msservice = %WinDir%\msserv.exe
where %WinDir% is Windows main directory.
Spreading
The worm then stays in Windows memory as hidden application
(service), connects to MS Outlook and registers itself as MS
Outlook "NewMail" and "ItemSend" events handler (i.e. the worm
attaches itself to MS Outlook events).
On "NewMail" (a new mail has arrived) the worm looks if it is its
own message from another infected machine, and then deletes it.
The worm opens the message, looks for EXE attach and deletes that
message if EXE attach has the same length as worm's EXE file has.
On "ItemSend" (a message is being sent) the worm looks for
already attached files, gets the first one, replaces it with its
own copy, renames attach to .EXE, and then sends it. If the
message has no attach, the worm attaches itself with eight bytes
random name and .EXE extenstion.
On Friday 13th from 13:00 till 14:00 the worm also adds the text
to the beginning of message body:
[I-Worm.Hydra] ...by gl_st0rm of [mions]
Protection
The worm performs several actions to hide itself and to avoid
removing its file and affected registry "Run=" keys. The worm
deletes the MSCONFIG.EXE file in Windows system directory, looks
for active applications and kills them (terminates these
processes):
"AVP Monitor"
"AntiVir"
"Vshwin"
"F-STOPW"
"F-Secure"
"vettray"
"InoculateIT"
"Norman Virus Control"
"navpw32"
"Norton AntiVirus"
"Iomon98"
"AVG"
"NOD32"
"Dr.Web"
"Amon"
"Trend PC-cillin"
"File Monitor"
"Registry Monitor"
"Registry Editor"
"Task Manager"
As a result the worm disables several types of anti-virus
protections, as well as immediately closes Registry editors on
their start.
The worm also try to kill F-Secure Anti-Virus and AVP anti-virus
databases.
Member of SETI Distributed Network
The worm installs and activates the SETI (Search for
Extraterrestrial Intelligence) software to affected computer (see
more information about SETI at http://setiathome.berkeley.edu).
The SETI software is downloaded by worm to Windows directory with
MSSETI.EXE name from following FTP sites:
ftp://ftp.cdrom.com/pub/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.let.uu.nl/pub/software/winnt/setiathome-3.03.i386-winnt-cmdline.exe
ftp://ftp.cdrom.com/.2/setiathome/setiathome-3.03.i386-winnt-cmdline.exe
ftp://alien.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
ftp://setidata.ssl.berkeley.edu/pub/setiathome-3.03.i386-winnt-cmdline.exe
The worm also creates in Windows directory the following files:
USER_INFO.SAH and VERSION.SAH with SETI specific information
MSSETI.PIF, RUN_MSSETI.VBS, MSSETI.BAT to run SETI program
and registers RUN_MSSETI.VBS file in Registry auto-run keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
msseti = WScript.exe %WinDir%\run_msseti.vbs"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
msseti = WScript.exe %WinDir%\run_msseti.vbs"
The USER_INFO.SAH file contains user specific information about
SETI user, the worm writes following IDs to there:
id=2199938
key=1603033966
email_addr=gl_storm@seznam.cz
name=GL_STORM
country=Czech Republic
[Kaspersky Labs and F-Secure Corp.; June 2001]
|
![](/images/pixel.gif"){kind=tracking}
