This page shows details and results of our analysis on the malware W32/HLLP.Philis.j


This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum Engine


File Length

62,976 bytes

Description Added


Description Modified


Malware Proliferation


This is a prepending file virus with the following characteristics:

  • Infects EXE files
  • Increases infected file length by 62,976 bytes
  • File Injector
  • Downloads file from a remote website
  • Spreads through open shares
  • Terminates processes running in memory

When an infected file is executed the virus copies itself as LOGO1_.EXE to the %Windir% folder.

e.g. C:\Winnt\LOGO1_.EXE

The following registry key is created:

  • HKEY_LOCAL_MACHINE\Software\Soft\DownloadWWW                  "auto" = 1

A DLL component (VIRDLL.DLL) is also dropped into the %Windir% folder.  This DLL file is injected into the same memory space as EXPLORER.EXE.  Once injected, EXPLORER.EXE will attempt to make a HTTP connection to download a remote file called 1.EXE.

The DLL component is detected as W32/HLLP.Philis.dll

This virus spreads via accessible shares (ADMIN$, IPC$) using blank ADMINISTRATOR and GUEST passwords.

The virus does not infect EXE  files in folders which have any of the following strings in their foldername:

  • System
  • System32
  • Windows
  • Document and Settings
  • System Volume Information
  • Recycled
  • winnt
  • Program Files
  • Windows NT
  • WindowsUpdate
  • Windows Media Player
  • Outlook Express
  • Internet Explorer
  • ComPlus Applications
  • Netmeeting
  • Common Files
  • Messenger
  • Microsoft Office
  • InstallShield Installation Information
  • MSN
  • Microsoft Frontpage
  • Movie Maker
  • MSN Gaming Zone

The virus terminates the following processes if running in memory:



  • Parasitically infected files, increasing in size by 62,976 bytes.
  • Existence of the Registry key detailed above.

Method of Infection

This is a prepending file virus which spreads via accessible shares (ADMIN$, IPC$) using blank ADMINISTRATOR and GUEST passwords.


All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations