This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
4416 (2004-12-22)Updated DAT
This is a prepending file virus with the following characteristics:
When an infected file is executed the virus copies itself as LOGO1_.EXE to the %Windir% folder.
The following registry key is created:
A DLL component (VIRDLL.DLL) is also dropped into the %Windir% folder. This DLL file is injected into the same memory space as EXPLORER.EXE. Once injected, EXPLORER.EXE will attempt to make a HTTP connection to download a remote file called 1.EXE.
The DLL component is detected as W32/HLLP.Philis.dll
This virus spreads via accessible shares (ADMIN$, IPC$) using blank ADMINISTRATOR and GUEST passwords.
The virus does not infect EXE files in folders which have any of the following strings in their foldername:
The virus terminates the following processes if running in memory:
This is a prepending file virus which spreads via accessible shares (ADMIN$, IPC$) using blank ADMINISTRATOR and GUEST passwords.