Holar.H comes as "From: Dispatch@McAfee.com"

[support66]

Holar.H worm was found on 28th of May, 2003. It spreads over e-mail and Kazaa P2P networks. The worm was written in Visual Basic and is compressed with the UPX executable compressor.


Spreading through email

Holar.H searches through '.htm', '.html', '.txt' and '.dbx'files to collect email addresses. Using its own SMTP engine it sends messages with infected attachments to these addresses.

Sender address of the email is taken from the user's default email settings

System infection

When Holar.H infects a system it drops two files to the Windows System folder:


- explore.exe - worm body
- SMTP.ocx - SMTP extension for Visual Basic Applications

The worm then adds a registry value to ensure that it will be started when Windows starts:

'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\run\Explore'


Payload

Holar keeps a counter in the registry value 'HKEY_CURRENT_USER\DeathTime'. If this counter reaches 30 the worm attempts to delete all files from drive C: and displays the following messages in several dialog boxes:


LOVE
PEACE
HOME
HAPPINESS


These things Can't be Found as long as Bush & Jews Are aLive
Made By ZaCker In 2003-03-30

After displaying the last message box the system is restarted.

http://www.f-secure.com/v-descs/holar_h.shtml