This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
W32/HLLP.Philis.g is a file infecting virus.
It searches for 32 bit PE .exe files and prepends its viral code to target files. It adds 59904 bytes infront of the original file so whenever that file is being called the virus code is initiated instead. The prepending virus code is written using Borland Delphi.
It also tries to connect to shared drives using ipc$ . Using a few admininistrator/admin logons it tries to connect to open shares that are not properly protected with passwords.
The virus can be detected and cleaned fine.
The virus carries a trojan component inside for keylogging. The embedded file "virdll.dll
" , having a filesize of 14848 bytes, is detected as PWS-LegMir. The file is internally compressed using upx.
W32/HLLP.Philis.g is a file infecting virus. Infection starts with manual execution of the binary which may rely on not properly configured/protected (open) shared drives.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: