W32/Higuy-A

Please read the instructions for removing worms.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
DllManager = <Windows folder>\dllmgr32.exe

and delete it if it exists.

Close the registry editor.

W32/Higuy-A is an internet worm with backdoor capabilities. It spreads via email by sending itself to addresses found in the Windows address book.

The email has the following characteristics:

English version:
Subject: Incredible..
Message text:
Hello,
see this interesting file.
Bye.

Italian version:
Subject:
"Qualsiasi cosa fai,falla al meglio." or
"Urgente! (vedi allegato)" or
"Incredibile.."
Message text:
line 1: Ciao,
line 2:
"okkio all'allegato ;-)" or
"apri subito l'allegato,e' molto interessante." or
"devi assolutamente vedere il file che ti ho allegato."
line 3: A presto...

Attached file: tattoo.exe, euro.exe or tettona.exe.

When run for the first time the worm displays the fake error message:
"VBRUN49.DLL not found! Unable to execute.". Then it copies itself into the Windows folder as dllmgr32.exe. It sets the following registry entry so that it is automatically run when Windows starts up.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
DllManager = <Windows folder>\dllmgr32.exe