W32.Hedong.A@mm

SUMMARY

W32.Hedong.A@mm is a mass mailing worm which makes use of its own SMTP engine. Depending upon the system time, the worm sends either Hello.exe or Hello.vbs. The worm copies itself to %System%Exporler.exe.

Protection

• Virus Definitions (LiveUpdate™ Weekly) May 21, 2002
• Virus Definitions (Intelligent Updater) May 17, 2002

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: High
• Payload Trigger: Execution of the VBS file
• Payload: The VBS file will delete all files with ".exe", ".dll", ".dat", ".doc", or ".mp3" extensions from the machine. The Win32 file will send itself to a randomly generated e-mail address.
• Deletes Files: Hello.vbs will delete all files with ".exe", ".dll", ".dat", ".doc", or ".mp3" extensions from the machine.

Distribution

• Distribution Level: Low
• Subject of Email: varies
• Name of Attachment: hello.exe or hello.vbs
• Size of Attachment: 49,152 bytes or 2,301bytes

TECHNICAL DETAILS

W32.Hedong.A@mm is a mass mailing worm which makes use of its own SMTP engine. When it is executed, it does the following:

It attempts to connect to one of the following servers:

• smtp.citiz.net
• smtp.china.com
• smtp.sina.com
• smtp.263.net
• smtp.sohu.com
• smtp.163.net
• smtp.163.com

Next, it sends an email message which varies depending on the system time:

• If the system time is divisible by 3, it sends an email message with the attachment Hello.exe.
• If the system time is not divisible by 3 it sends the file Hello.vbs.

The worm generates all other email characteristics randomly:

• The "From" address will contain randomly generated characters followed by "@" and then the string following the "smtp." from the smtp server it selected to use to send the email messages. For example, if it chose to use "smtp.163.net", the from address could be any set of random characters followed by "@163.net".
• The "To:" address is constructed in the same way. The subject will be constructed of a randomly chosen subject containing Chinese text.

The worm also makes use of the Incorrect MIME Header exploit to allow automatic execution on unpatched computers.

The worm then copies itself to \%System%Exporler.exe.

NOTE: %System% is a variable. The worm locates the WindowsSystem folder (by default this is C:WindowsSystem or C:WinntSystem32) and copies itself to that location.

It configures that file to run every time that an executable file is run by changing the default value of the registry key

HKEY_LOCAL_MACHINESoftwareCLASSESexefile
shellopencommand

to

%System%Exporler.exe %1 %*

If the file that was executed was Hello.vbs, it performs the following additional actions:

It copies itself to \%System%MSKernel.vbs and %Windows%Win32Dll.vbs.

It adds the value

MSKernel32       %System%MSKernel32.vbs

to the registry key

HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRun

and the value

Win32Dll        %Windows%Win32Dll.vbs

to the registry key

HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRunServices

It also changes the Internet Explorer home page to http:/ /www.hziee.edu.cn.

Finally, Hello.vbs deletes from all local and mapped drives all files that it finds that have the .exe, .dll, .dat, .doc, and .mp3 extensions.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this worm, delete all files detected as W32.Hedong.A@mm. If the worm has executed, you also must:

• Restore the default value of the registry key HKEY_LOCAL_MACHINESoftware
  CLASSESexefileshellopencommand.
• Remove the values that it added to the registry.
• Restore the Internet Explorer home page.

Detailed instructions are in the sections that follow.

How to remove the worm

NOTE: If the worm has already run, you may have to do this last.

1. Obtain the most recent virus definitions. There are two ways to do this:
   • Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
   • Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
     
     Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
     
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Hedong.A@mm.

How to restore the default value of the registry key
HKEY_LOCAL_MACHINESoftware
CLASSESexefileshellopencommand

To edit the registry:
The worm modifies the registry so that an infected file is executed every time that you run an .exe file. Follow these instructions to fix this.

Copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension and then run that file.

1. Do one of the following, depending on which operating system you are running:
   • Windows 95/98 users: Click Start, point to Programs, and click MS-DOS Prompt.
   • Windows Me users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
   • Windows NT/2000/XP users:
     1. Click Start, and click Run.
     2. Type the following, and then press Enter:
        
        command
        
        A DOS window opens.
        
     3. Type the following, and then press Enter:
        
        cd winnt
        
     4. Go on to the next step.
        
2. Type the following, and then press Enter:
   
   copy regedit.exe regedit.com
   
3. Type the following, and then press Enter:
   
   start regedit.com
   

1. Proceed to the section "To edit the registry and remove keys and changes made by the worm" only after you have accomplished the previous steps.

NOTE: The Registry Editor will open in front of the DOS window. After you finish editing the registry and have exited Registry Editor, close the DOS window.

To edit the registry and remove keys and changes made by the worm:

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure you modify only the keys specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed. Consult a computer technician for more information.

1. Navigate to and select the following key:
   
   HKEY_LOCAL_MACHINESoftwareCLASSES
   exefileshellopencommand
   
   CAUTION: This key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the command subkey.
   Do not modify the HKEY_LOCAL_MACHINESoftwareCLASSES.exe key.
   Do modify the HKEY_LOCAL_MACHINESoftwareCLASSES
   exefileshellopencommand subkey that is shown in the following figure:
   
   
   <<=== NOTE: This is the key that you need to modify.
   
   
2. Double-click the (Default) value in the right pane.
3. Delete the current value data, and then type: "%1" %*
   (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)
   
   NOTE: On Windows 95/98/NT, the Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*" On Windows 2000/XP systems, the additional quotation marks will not appear. On these systems, the (Default) value should look exactly like this: "%1" %*
   
4. Make sure that you completely delete all value data in the command key prior to typing the correct data. If a space is left accidentally at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C: <path and file name>."
5. Leave the Registry Editor open, and go on to the next section.

To remove the values that it added to the registry:

1. Navigate to and select the following registry key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoft
   WindowsCurrentVersionRunServices
   
2. In the right pane, look for and select the value
   
   Win32Dll        %Windows%Win32Dll.vbs
   
3. Press Delete, and then click Yes to confirm.
4. Navigate to and select the following key:
   
   HKEY_LOCAL_MACHINESoftwareMicrosoft
   WindowsCurrentVersionRun
   
5. In the right pane, look for and select the value
   
   MSKernel32       %System%MSKernel32.vbs
   
6. Press Delete, and then click Yes to confirm.

To reset the Internet Explorer home page:

1. Start Microsoft Internet Explorer.
2. Connect to the Internet, and go to the page that you want to set as your home page.
3. Click Tools, and then click Internet Options.
4. In the Home page section of the General tab, click Use Current, and then click OK.