Win32/Haltura [Threat Name] go to Threat

Win32/Haltura.NAE [Threat Variant Name]

Category worm
Size 29184 B
Detection created Jan 16, 2012
Detection database version 6799
Aliases W32.Shufa@mm (Symantec)
  Trojan.PWS.Qqshou.857 (Dr.Web)
Short description

Win32/Haltura.NAE is a worm that spreads via e-mail and shared folders.

Installation

The worm may create copies of itself using the following filenames:

  • C:\­suck it.exe
  • C:\­Windows\­kernel.exe
Spreading via shared folders

The worm tries to copy itself into shared folders of machines on a local network.


The worm creates the following files:

  • \­\­%networkshare%\­C$\­Setup.exe (Win32/Haltura.NAE)
  • \­\­%networkshare%\­C$\­AutoExec.bat
Spreading via e-mail

Win32/Haltura.NAE is a worm that spreads via e-mail.


E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .asp
  • .htm
  • .html
  • .js
  • .txt
  • .vbs
  • .wab

The sender address is one of the following:

  • support@symantec.com
  • support@microsoft.com

Subject of the message is one of the following:

  • URGENT PLEASE READ!
  • Urgent Info

Body of the message is one of the following:

  • Open the attachment for an urgent Windows update
  • Open the attachment for an urgent update

The attachment is an executable of the worm.


The name of the attached file is following:

  • Microsoft update.exe

The SMTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.