F-Secure
Tools
Worm:W32/Hairy.A
Summary
This malware was written in AutoIt scripting. It uses an icon of MS Winword.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Upon execution, it creates a file HarryPotter-TheDeathlyHallows.doc that has the following text and opens it using MS Winword:
It creates the folder C:\WINDOWS\Cache and copies itself as HarryPotter-TheDeathlyHallows.exe to the said folder. This file will be copied from drives C to J if present. It will also be copied to the folder C:\Documents and Settings\All Users\Desktop.
This malware creates a file named harry potter.txt which contains the following text:
It also creates autorun.inf which will be copied to file which has the following data. This file be copied from drives C to J if present.
After running itself, it will force restarting the infected machine.
Payload One
It deletes all existing scheduled tasks by rendering the following command:
Note: AT is the command-line for task scheduler.
It attempts to create the following tasks but due to some instability of the code, it might not create them all:
Note: This means that the file C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe will be run everyday at the specified time.
Payload Two
It changes the Windows Product Owner and Product ID causing Windows Genuine Advantage validation to be triggered. There then no longer appears to be a valid Windows Operating System. This is done by modifying the following registry keys:
Note: To check this, you can press WindowsLogo key + Pause/Break key
Payload Three
It changes Internet Explorer's Window Title to 'JK Rowling Owns You'. It changes the start page as well.
Payload Four
It disables/hides the following System tools:
Payload Five
It creates the following users:
Payload Six
It runs a batch file on every start of the infected machine that displays the following message:
This batch file is saved at C:\WINDOWS\Tempt\talk.bat. It creates the following registry key so that in every machine start up this batch will be executed:
- ---
Harry Potter is dead.
---
It creates the folder C:\WINDOWS\Cache and copies itself as HarryPotter-TheDeathlyHallows.exe to the said folder. This file will be copied from drives C to J if present. It will also be copied to the folder C:\Documents and Settings\All Users\Desktop.
This malware creates a file named harry potter.txt which contains the following text:
- ---
Harry Potter is a dumb kid,so is Daniel
.
Ron Weasley is ugly but who cares
.
Hermione is pretty and exploited but who cares?
.
Dumbledore is old and haggard but who cares?
.
JK Rowling was an ex-witch but who cares, betcha didnt know.
.
All we care is that......
.
Harry Potter is gonna die!
.
Okay, you can now get yourself a copy of the dumb Harry Potter book.
---
It also creates autorun.inf which will be copied to file which has the following data. This file be copied from drives C to J if present.
- [Autorun]
open=HarryPotter-TheDeathlyHallows.exe e
shellexecute=HarryPotter-TheDeathlyHallows.exe e
shell\Auto\command=HarryPotter-TheDeathlyHallows.exe e
shell=Auto
After running itself, it will force restarting the infected machine.
Payload One
It deletes all existing scheduled tasks by rendering the following command:
- AT /delete /yes
It attempts to create the following tasks but due to some instability of the code, it might not create them all:
- AT 8:30 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 9:00 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 10:30 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 11:00 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 12:30 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 13:00 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 14:30 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 16:30 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.ex
AT 17:00 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 18:30 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
AT 19:00 /every:M,T,W,TH,F,S,SU C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe
Note: This means that the file C:\WINDOWS\Cache\HarryPotter-TheDeathlyHallows.exe will be run everyday at the specified time.
Payload Two
It changes the Windows Product Owner and Product ID causing Windows Genuine Advantage validation to be triggered. There then no longer appears to be a valid Windows Operating System. This is done by modifying the following registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner = "Harry Potter"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductId = "HARRY-POT-TERHATE-SYOU1")
Payload Three
It changes Internet Explorer's Window Title to 'JK Rowling Owns You'. It changes the start page as well.
Payload Four
It disables/hides the following System tools:
- Task Manager
- Registry Editor
- Folder Options
- Windows File search
- Right-Click or Context Menu
- System Tray
- System Clock
- Windows Firewall
Payload Five
It creates the following users:
- Harry-Potter
- Ron-Weasley
- Hermione-Granger
Payload Six
It runs a batch file on every start of the infected machine that displays the following message:
This batch file is saved at C:\WINDOWS\Tempt\talk.bat. It creates the following registry key so that in every machine start up this batch will be executed:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
talk =C:\WINDOWS\Tempt\talk.bat