Win32/Himan [Threat Name] go to Threat

Win32/Himan.A [Threat Variant Name]

Category worm
Size 32256 B
Detection created Sep 12, 2005
Detection database version 0.11214
Aliases Email-Worm.Win32.HiMan (Kaspersky)
  Backdoor.Shellbot (Symantec)
  Win32.HLLM.Himan (Dr.Web)
Short description

Win32/Himan.A is a worm which tries to download other malware from the Internet. The worm can be used for sending spam.

Installation

The worm does not create any copies of itself.


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WindowsUpdate" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WindowsUpdate" = "%malwarefilepath%"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "ProductBuild" = "0|0|192.168.1.107:2500|500,2,60,10,50,3"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "ProductBuild" = "0|0|192.168.1.107:2500|500,2,60,10,50,3"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusDisableNotify" = 1
    • "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = 0

The worm may create the following files:

  • C:\­log\­__sm.txt
  • C:\­log\­__log.txt
  • C:\­log\­config.bot
Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a URL address. The TCP, SMTP protocol is used in the communication.


It may perform the following actions:

  • send mail
  • download files from a remote computer and/or the Internet
  • run executable files

The worm may create the following files:

  • %temp%\­%number%.exe
  • %windir%\­%number%.exe

The %number% represents a random number.

Please enable Javascript to ensure correct displaying of this content and refresh this page.