Win32.Hiton

Description

Win32.Hiton is an internet worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. It may arrive to users computers as .exe or .dll file, or be packed with WinZip. Regardless the extension its size is 44, 036 bytes.

The worm is capable of disseminating via e-mail and file-sharing networks.

Launching

To secure automatic execution of its copy SVCHOST.EXE at every Windows startup the worm changes two registry entries

HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run
\\\"Service Host Driver\\\" = %WinDir%\\\\SVCHOST.EXE
HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Command Processor
AutoRun = \\\"C:\\\\WINNT\\\\SVCHOST.EXE\\\"

Its .dll-formatted copy is also registered in the system registry

HKEY_CURRENT_USER \\\\CLSID\\\\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\\\\
InProcServer32\\\\ (Default) = \\\"%SysDir%\\\\MSSVC.DLL\\\"

Spreading

Via e-mail
The worm can spread via –email using its own SMTP engine. In search of addresses it scans hard drives of the affected machine. The files with the following extensions are revised:

           .htm
           .mht
           .hlp
           .dbx
           .eml
           .tbb
           .txt
           .wab

The worm stores the retrieved addresses in wsick32.dll, created in the System folder. The mail message infected with the worm may look as follows:

The sender’s address is spoofed.

There can be no subject, or it may be chosen from the following list of possible subject (just few of them are sited here):

      *, you have to see this!
      hey wuts up?
      hey wuts up*?
      Very funny
      Useful
      Hiiiiiii
      Wait for more :)
       warning
      something for you
      read it immediately
      Undeliverable mail --
      Server Report
       Mail Delivery System
       here´s the document you requested
      here´s the document
      Pr0n!
      Here´s a nice Picture
      here´s the archive you requested
      New Internal Rls...
      Do not release, its the internal rls!
       hello*
      hello
      hi*
      hi
      Error
      Ciao*
      Ciao

where * is a recipient’s name.

The attachment may have the following names:

    document
    body
    mail
    msg
    doc
    talk
    message
    creditcard
    details
    attachment
    me
    stuff
    posting
    textfile
    concert
    information
    note
    bill
    swimmingpool
    product
    topseller
    ps
    shower
    aboutyou
    nomoney
    found
    story
    mails
    website
    friend
    jokes
    location
    final
    release
    dinner
    ranking
    object
    mail2
    part2
    disco
    party
    misc

The extension of the attachment may be. exe. .src, .htm (multiple spaces) .exe.

Propagation through file-sharing networks and mapped drives
The worm can spread through file-sharing networks. For this, it creates its own folder .{21EC2020-3AEA-1069-A2DD-08002B30309D} and copies itself there as key generator files or cracking utilities.

Action

Being executed, the worm drops two copies of itself into the System:

to the Windows folder - SVCHOST.EXE

to the System folder - MSSVC.DLL The worm collects names of file of the affected system and stores them in WSUCK32.DLL created in the System folder. These file names are used by the worm for attachment names enclosed to viral messages.

The worm may displays the following message:

Title:

Text:

Title:

Text:

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES