LHRIC logo TECHNICAL SERVICES
LHRIC logo home | search | contact | Virus Central  
LHRIC logo

Providing timely, reliable & cost-effective technical support 

Virus Central - Detailed

Virus Information

 

Name:

W32.Hunch.C@mm

Aliases:

Bloodhound.W32.VBWORM

Type:

Worm

Discovery Date:

April 10, 2002

Detection:

 

Virus Description:

W32.Hunch.C@mm is a mass-mailing worm that modifies the Autoexec.bat file in an attempt to format drive C. It deletes all
.ocx, .sys, and .dll files from the C:\_RESTORE folder, and others that have a randomly chosen extension.

E-mail Subject:

<This varies depending on the originating file name>

E-mail Body:

Tal como te prometi; te envio mi foto en el archivo adjuncto...

Attachment:

<This varies depending on the originating file name>

Virus Effects:

Payload: Will delete 5 files from the computer. Will also attempt to format the C Drive the next time the computer
restarts (Windows 95/98/Me).
Large scale e-mailing: Mails itself to all addresses in the Outlook Address book
Deletes files: Deletes 5 files with the extension .xls, .doc, .wav, .dwg, .mp3, .bak, .cdx, .bmp, .htm, .hlp, .chm,
.jpg, .cdr, .mdb, .dbf, or .ico,
Modifies files: Modifies Autoexec.bat to format the C Drive
Causes system instability: Deletes files used by the Windows Me Operating System to restore corrupted files.

W32.Hunch.C@mm is a mass-mailing worm. If it is run, it does the following:

    1. It sends itself to all contacts in the Microsoft Outlook address book. The message has the following characteristics:

    Subject: <This varies depending on the originating file name>
    Message: Tal como te prometi; te envio mi foto en el archivo adjuncto...
    Attachment: <This varies depending on the originating file name>

    2. It displays a pornographic picture.
    3. It searches the C:\_RESTORE folder (Windows Me only) and deletes all .ocx, .sys, and .dll files from that folder.
    4. It copies itself as:
    • C:\Windows\System\Msoffice.Exe
    • C:\Windows\System\Thd16.Exe
    • C:\Windows\System\<Attachment file name>
    5. It adds the value

    THD16     C:\Windows\System\Thd16.Exe

    to the registry key

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

    6. It then deletes five files that have one of the following randomly chosen file extensions:
    • .xls
    • .doc
    • .wav
    • .dwg
    • .mp3
    • .bak
    • .cdx
    • .bmp
    • .htm
    • .hlp
    • .chm
    • .jpg
    • .cdr
    • .mdb
    • .dbf
    • .ico

      NOTE: It keeps a log of the deleted files in C:\Windows\System\ListWin.txt.
    7. Finally, it modifies the C:\Autoexec.bat file by adding the following command:

    DEL  > FORMAT C: /u /v:THD16 /autotest

    so that the next time that you start the computer (Windows 95/98/Me only) the hard drive is reformatted.

Removal Instructions:

Delete files that are detected as W32.Hunch.C@mm, delete the files that the worm added to the computer (if they still exist), remove the values that the worm added to the registry, and then remove the change that it added to the Autoexec.bat file.

CAUTION: If the worm has executed and you are running Windows 95/98/Me, do not restart the computer until you have finished with the entire procedure.

To delete the worm:
    1. Obtain the most recent virus definitions. There are two ways to do this:
    • Run LiveUpdate. LiveUpdate is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
    • Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

      Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
    2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
    3. Run a full system scan.
    4. If any files are detected as infected by W32.Hunch.C@mm, delete them.
    5. To be sure that all infected files have been removed, use Windows Explorer to look for and delete the following files:
    • C:\Windows\System\Msoffice.Exe
    • C:\Windows\System\Thd16.Exe
    • (Optional) C:\Windows\System\ListWin.txt (Deleting this file is optional. It contains a list of some of the deleted files. You may want to save this file to help you restore files that the worm deleted.)

To edit the registry:

CAUTION: We strongly recommend that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.
    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    4. In the right pane, delete the following value:

    THD16     C:\Windows\System\Thd16.Exe

    5. Click Registry, and then click Exit.

To edit the Autoexec.bat file (Windows 95/98/Me only):

NOTE: (For Windows Me users only) Due to the file-protection process in Windows Me, a backup copy of the file that you are about to edit exists in the C:\Windows\Recent folder. We recommend that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.
    1. Click Start, and click Run.
    2. Type the following, and then click OK:

    edit c: autoexec.bat

    The MS-DOS Editor opens.

    3. Look for the line

    DEL  > FORMAT C: /u /v:THD16 /autotest

    4. If it exists, select the entire line. Be sure that you do not select any other text, and then press Delete.
    5. Click File, and click Save.
    6. Click File, and click Exit.

TOP

Site Last Updated: April 12, 2002
© Copyright 2001,2002 Lower Hudson Regional Information Center (LHRIC).