W32/Cerohar

Threat risk

Threat risk low


Detection files published: October 2, 2009	Description created: 2010-03-19	Description updated: 2010-03-19

Malware type: Worm	Alias: Worm.Win32.AutoRun(Kaspersky), W32.Silly (Symantec), Worm: Win32/Cerohar(Microsoft), Heuristic.LooksLike.Worm.Autorun (McAfee GW Edition)	Spreading mechanism Email, Network

Payload:

Summary
Spreading description
Sandbox analysis
Removal

Summary

The Cerohar family of malware is mostly worms that can propagate from one host to another. This variant may be a multi-packed executable to protect its code from reverse engineering. Worms generally do not tamper the host files, but they may load into system memory and thereby slow down the computer’s performance.

Spreading description

Vector worms prefer to propagate via network shares or USB drives, or they are downloaded by another trojan. They also propagate via email attachments and even instant messaging. Typical worm functionality is to drop an autorun.ini that increases the velocity of spreading through manual intervention.

After execution the malware drops an executable named HardCore, or a file with the extension .txt. It also creates registry entries. If a mutex or a process called HardCore is found, it’s a clear evidence that the machine is infected by this worm.

Sandbox analysis

[ DetectionInfo ]
* Filename: C:\Documents and Settings\19b9914a440d9c74100873698a.
* Sandbox name: .
* Signature name: NOT_SCANNED.
* Compressed: NO.
* TLS hooks: YES.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.

[ General information ]
* File length: 98816 bytes.
* MD5 hash: 19b9914a440d9c7efc1014100873698a.

[ Changes to filesystem ]
* Creates file C:\TEMP\War Rock.lnk.
* Creates file C:\Progra~1\owned.txt.
or
* Creates file \Hardcore.exe.
or
* Creates file C:\Progra~1\hackhound.txt.
or
* Creates file C:\Progra~1\TR_bot_de.txt.
or
* Creates file C:\Progra~1\fullLogs.txt.

[ Changes to registry ]

[ Process/window information ]
* Creates a mutex HardCore.
* Attemps to open C:\TEMP\War Rock.lnk NULL.
* Creates a COM object with CLSID {3C374A40-BAE4-11CF-BF7D-00AA006946EE} : Microsoft Url History Service.
* Query interface {AFA0DC11-C313-11D0-831A-00C04FD5AE38}.
or
* Attemps to Open \Hardcore.exe NULL.
* Creates process "\Hardcore.exe".
* Creates a mutex HardCore.
or
* Creates a mutex HardCore.
* Enumerates running processes.
* Creates a COM object with CLSID {3C374A40-BAE4-11CF-BF7D-00AA006946EE} : Microsoft Url History Service.
* Query interface {AFA0DC11-C313-11D0-831A-00C04FD5AE38}.

Removal

General information about removal of malicious software

Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.

Usage	Title	Comment
	Stopping network share infectors
	Cleaning of back-up folders on Windows Me and XP

Print page