McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Hotmatom.worm

This page shows details and results of our analysis on the malware W32/Hotmatom.worm

Threat Detail

Malware Type: Virus

Malware Sub-type: Worm

Discovery Date: 2006-03-07

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4713 (2006-03-08)

Updated DAT

4994 (2007-03-28)

 Minimum Engine

5.1.00

File Length

204,800 bytes

 Description Added

2006-03-07

Description Modified

2006-03-08

Malware Proliferation

Characteristics

-- Update March 8, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention

http://www.informationweek.com/news/showArticle.jhtml?articleID=181501719

This is a worm written in VB with the following characteristics:

  • propagates via MSN hotmail.
    • The worm monitors browser window to detect when MSN hotmail is being used for sending new mail, and inserts text to such messages, which contains a URL from where the worm is downloaded if the recipient clicks on the link.
  • deletes files on the root of C: and A:, and copies itself there in place of those files, appending a .EXE file extension

Symptoms

  • Deletion of files from root of C: and A: - copies of the worm being there instead, with same filenames, but with .EXE extension appended
  • Presence of the following Registry key:
    • HKEY_CURRENT_USER\Software\
      VB and VBA Program Settings\Worm\Atomix
  • Observation of the messenger message sent across the local network would indicate a machine on that network being infected
  • Windows task manager is disabled by the worm via the addition of the following Registry key:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Policies\System "disabletaskmgr" = 1

Method of Infection

MSN Hotmail Monitoring

The worm attempts to lure victims to follow a URL link, in so doing downloading a copy of it, and infecting themselves. It monitors Internet Explorer windows in order to detect when a new message is being created within MSN Hotmail. One of the following texts is added to sent messages (http:// removed from each link):

  • Hola, feliz dia de san valentin te hice una postal, descargala de aqui [removed]romanticsletters.miarroba.com
  • Hi, Happy San Valentin Day Download you Postcards from [removed]romanticsletters.miarroba.com
  • i want show you something, [removed]romanticsletters.miarroba.com
  • oye hasme un favor sip porfa, esque hice una postal para alguien pero quiero ver si se ve, ayudame, de aqui la descargas, yo la

A fake error message may be displayed when the worm is run (not observed in testing):

Title: Windows
Message: Error de datos

The worm installs itself into the following directory when executed:

  • %WINDIR%\CURSORES\DHO.EXE

If the %WinDir%\Cursores directory does not exist, this fails, so it will only work on specific OS language versions. If successful, the following Registry key is added to hook system startup:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Atomix" = %WinDir%\cursores\dho.exe

The worm may also drop a batch file which restarts the machine (after a short delay):

  • %WinDir%\system32\win_nt.bat

Using the net utility, the worm sends the following message to machines on the local network:

  • Se ha detectado un virus muy peligroso en la red, descarge gratis el parche de esta pagina [removed]antivirusparcheatom.mi

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

United States - English