Type Email worm
Date Discovered 28-JAN-2002
Place of Origin Ayacucho, Peru
Source Language Visual Basic
Platform Microsoft Windows
File Types .exe
Infection Length 151,552 bytes
Reported Costs

Hunch is an email worm from Peru that appeared in early 2002. It displays the crest of a Peruvian university before deleting files and attempting to format the hard drive. Later versions display pornographic images and succede in formatting the hard drive.


The University Crest

Hunch arrives in an email with a variable subject line that is the same as the attached executable. The message text is "Mensaje importante para [destinatario] en el archivo adjunto…" (Important message for [recepient] in the attached file). The attached file name containing the worm can be one of many things.

When the Hunch attachment is executed, it copies itself as THWIN.EXE and MSWORD.EXE to the Windows system folder. It modifies the registry keys HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices, both with the value THWIN=C:\WINDOWS\SYSTEM\THWIN.EXE to ensure the worm runs whenever the system is restarted. It displays a black and white image of the crest of San Cristóbal of Huamanga University.

Hunch selects five files in the Windows directory and any subdirectories for deletion from files with the following extensions: BAK, BMP, CDX, CHM, DBF, DOC, DWG, GIF, HLP, HTM, ICO, JPG, MDB, MID, MP3, SCR, TTF, WAV, and XLS. If it's on a Windows 9x system (95, 98, or ME), it will attempt to overwrite the AUTOEXEC.BAT file with code to format the C: drive. This invariably fails because of errors in the worm's code. It stores a list of the last five deleted files in the Windows system directory as ListWin.txt

It may sometimes make a copy of itself to the A: drive (most often a floppy) as UNSCH.doc.EXE. It will also copy itself to this drive as a file name it finds on the drive but with an .exe extension. For example, if it finds a file named File.doc on the A: drive, it may select this name and copy itself as File.doc.EXE. It will set the attributes of the original file to hidden. It stores a list of the names of files it has used to the Windows System directory as WinList.txt.

Hunch sends itself to all addresses in the Outlook address book. It tailors the message body for each recepient, using the given and family name found with the email address. For example, if it finds the email address ur.liam|vonrimsi#ur.liam|vonrimsi with the full name Ivan Smirnov, it will send an email with a message body "Mensaje importante para Ivan Smirnov en el archivo adjunto…".



This variant comes in a message with a message body of "Tal como te prometí; te envío mi foto en el archivo adjunto…" (Just as I promised you; I send you my photo in the attached file…). The subject and attachment name will be the same as the original file name. It copies itself to the Windows system folder as Thd16.exe, Msoffice.exe, and [attachment name].exe. It adds the value THD16 = C:\Windows\System\Thd16.exe to the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ so it runs on startup.

Hunch.C neglects to delete the files GIF, MID, SCR, and TTF, though it adds files with extension CDR. It records the names of the files it deletes in the file ListWin.txt stored in the Windows System folder. It also displays a pornographic image.


This variant is very simialar to Hunch.C. It shows a pornographic image, this time with the face of the person in the pictures visible.


Hunch.E, also known as Dejas, is functionally similar to the first version. When copying itself to the system folder, it will make one copy named Msword.exe and another that can be either Salsa.Exe, Dejas.Exe, or Locas.Exe. It is 24,576 bytes long.


Hunch.H weighs in at 46,592 bytes. The email subject it arrives in will be the first four letters of the original file name but without the extension. The message body will be "Tal como te prometí; te envío mi foto en el archivo adjunto…", like Hunch.C. The files it copies to the system folder include Newmsie7.exe, Setup.Exe, and the original attachment.

It is similar to Hunch.C also with the types of files it deletes as well as displaying a pornographic image. It adds .ini, .com, .asm, .ccp, .mp2, .pif, and .vxd files to the list of files it can possibly delete.

It adds the following commands to the AUTOEXEC.BAT file:

DEL %system%\*.DAT
DEL %system%\*.COM
DEL %system%\*.EXE
FORMAT C: /u /v:COOL! /autotest


Hunch.I is 73,728 bytes long. It copies itself to the system folder as its original attachment name, along with Msie7en.exe, and Colas.exe. Colas.exe will be added to the registry key that allows it to start when the system does. Similar to the earlier versions, it deletes files and stores the names of deleted files in a file it keeps in the Windows system folder, this time it is named MyWife!.scr.


The image the original variant displays strongly indicates the virus comes from Peru. This is the coat of arms of San Cristóbal of Huamanga University, a Catholic liberal arts institution in Ayacucho, Peru. The university does appear to have a school of computer systems engineering and the author may have been an alumnus. Text strings contained in the worm indicate it was written in Visual Basic 6.


VSAntivirus, W32/Hunch "Mensaje importante... en el archivo adjunto." 29-JAN-2002

Securelist, Червь Hunch форматирует жесткий диск. 04-FЕВ-2002

Sophos Antivirus, W32/Hunch-C.

Douglas Knowles. Symantec, NAV: W32.Hunch.E@mm. 20-AUG-2002

Douglas Knowles. Symantec, NAV:W32.Hunch.H@mm. 07-SEP-2002

Douglas Knowles. Symantec, NAV:W32.Hunch.I@mm. 07-SEP-2002

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License