W32/HLLP.Philis.j

This page shows details and results of our analysis on the malware W32/HLLP.Philis.j

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4416 (2004-12-22)

Updated DAT

4416 (2004-12-22)

Minimum Engine

5400.1158

File Length

62,976 bytes

Description Added

2004-12-22

Description Modified

2005-01-28

Malware Proliferation

Characteristics

This is a prepending file virus with the following characteristics:

  • Infects EXE files
  • Increases infected file length by 62,976 bytes
  • File Injector
  • Downloads file from a remote website
  • Spreads through open shares
  • Terminates processes running in memory

When an infected file is executed the virus copies itself as LOGO1_.EXE to the %Windir% folder.

e.g. C:\Winnt\LOGO1_.EXE

The following registry key is created:

  • HKEY_LOCAL_MACHINE\Software\Soft\DownloadWWW                  "auto" = 1

A DLL component (VIRDLL.DLL) is also dropped into the %Windir% folder.  This DLL file is injected into the same memory space as EXPLORER.EXE.  Once injected, EXPLORER.EXE will attempt to make a HTTP connection to download a remote file called 1.EXE.

The DLL component is detected as W32/HLLP.Philis.dll

This virus spreads via accessible shares (ADMIN$, IPC$) using blank ADMINISTRATOR and GUEST passwords.

The virus does not infect EXE  files in folders which have any of the following strings in their foldername:

  • System
  • System32
  • Windows
  • Document and Settings
  • System Volume Information
  • Recycled
  • winnt
  • Program Files
  • Windows NT
  • WindowsUpdate
  • Windows Media Player
  • Outlook Express
  • Internet Explorer
  • ComPlus Applications
  • Netmeeting
  • Common Files
  • Messenger
  • Microsoft Office
  • InstallShield Installation Information
  • MSN
  • Microsoft Frontpage
  • Movie Maker
  • MSN Gaming Zone

The virus terminates the following processes if running in memory:

  • RAVMON.EXE
  • ZONEALARM
  • EGHOST.EXE
  • MAILMON.EXE
  • KAVPFW.EXE
  • IPARMOR.EXE

Symptoms

  • Parasitically infected files, increasing in size by 62,976 bytes.
  • Existence of the Registry key detailed above.

Method of Infection

This is a prepending file virus which spreads via accessible shares (ADMIN$, IPC$) using blank ADMINISTRATOR and GUEST passwords.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants