Content

W32/Hoots.worm

Type
Virus
SubType
Worm
Discovery Date
05/12/2006
Length
Minimum DAT
4762 (05/15/2006)
Updated DAT
4762 (05/15/2006)
Minimum Engine
5.1.00
Description Added
05/12/2006
Description Modified
05/12/2006 9:46 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update May 11th, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.crn.com.au/story.aspx?CIID=37699

Attempts to create the following files in the following locations:

Startup folder:
O rly.exe

Root of the c: drive:
o.rly
check.exe
not rly.bat

Attempts to print pictures of an Owl to specifically named print queues.

Symptoms

Presence of the previously mentioned files.

Picture of an owl printed on network printers.

Method of Infection

This worm copies itself via open network shares.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a visual basic worm that copies itself to network shares and targets specifically named  print queues.

For an EXTRA.DAT file for this threat please visit our Extra.DAT request page at:
http://www.webimmune.net/extra/getextra.aspx

Aliases

  • W32/Hoot.a (Sophos)

Characteristics

Characteristics -

-- Update May 11th, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.crn.com.au/story.aspx?CIID=37699

Attempts to create the following files in the following locations:

Startup folder:
O rly.exe

Root of the c: drive:
o.rly
check.exe
not rly.bat

Attempts to print pictures of an Owl to specifically named print queues.

Symptoms

Symptoms -

Presence of the previously mentioned files.

Picture of an owl printed on network printers.

Method of Infection

Method of Infection -

This worm copies itself via open network shares.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A