W32.Hoots


When W32.Hoots is executed, it performs the following actions:

  1. Creates the following files:

    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\O rly.exe
    • C:\o.rly
    • C:\check.exe
    • C:\not rly.bat
  2. Attempts to print the following picture of an owl on a series of hard-coded network printer names:

    O RLY?

  3. Attempts to spreads by copying itself to the following network shares:
    • \\[SHARE NAME][RANDOM NUMBER]\C$\o.rly
    • \\[SHARE NAME][RANDOM NUMBER]\C$\check.exe
    • \\[SHARE NAME][RANDOM NUMBER]\C$\not rly.bat
    • \\[SHARE NAME][RANDOM NUMBER]\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\o rly.exe

      where [SHARE NAME] is one of the following strings:

    • hs219S
    • Hslca
    • Hslcb
    • Hslcc
    • Hslcd
    • IHSD

      The threat attempts to use the follow user name and password when accessing network shares:

      User name: Administrator

      Password: p3pp3r

  4. Stops spreading if the date is later than May 10th.

technorati tags:, , , ,

Blogged with Flock

This entry was posted on Friday, July 28th, 2006 at 9:13 am and is filed under My Brain. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Classic
Hackergotchi Time!

Leave a Reply