The Hannuch worm is a trick with Windows
The Hannuch.A worm tries to spread on flash drives after changing certain settings in Windows.
A Hannuch.A worm spreads in the form of a file called copy.exe, primarily through removable drives. Once on your computer, it creates a file on it in one of the Windows system directories and then makes sure it can start automatically each time the operating system loads.
Hannuch.A makes several changes to the registration database. On the one hand, in the case of Windows 2000, it makes regular user logouts from the operating system impossible. It also removes the “Folder Settings” from My Computer and thus tries to make its removal more difficult. The worm supplies its own stock with a hidden attribute and tries to remain invisible with this simple trick.
When the Hannuch.A Trojan starts, it performs the following actions:
- Opens Windows Explorer and creates the following file:
% System% \ vhchosts.exe - Create the following entry in the registration database:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\systray = “vhhosts.exe”
HKCU\Software\chunhan\\\gay = “[the current day of the month]” - It spreads through removable drives. It copies a file called copy.exe and an autorun.inf onto them.
- Disable the "logout" option in Windows by modifying the registry:
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \
NoLogoff = “00000001”
This change is effective for Windows 2000 only. - Modify the registration database as follows:
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \
NoFolderOptions = “00000001” - Adds a hidden attribute to your own file.
