W32/HLLP.Philis.j

This is a prepending file virus with the following characteristics:

• Infects EXE files
• Increases infected file length by 62,976 bytes
• File Injector
• Downloads file from a remote website
• Spreads through open shares
• Terminates processes running in memory

When an infected file is executed the virus copies itself as LOGO1_.EXE to the %Windir% folder.

e.g. C:\Winnt\LOGO1_.EXE

The following registry key is created:

• HKEY_LOCAL_MACHINE\Software\Soft\DownloadWWW                  "auto" = 1

A DLL component (VIRDLL.DLL) is also dropped into the %Windir% folder.  This DLL file is injected into the same memory space as EXPLORER.EXE.  Once injected, EXPLORER.EXE will attempt to make a HTTP connection to download a remote file called 1.EXE.

The DLL component is detected as W32/HLLP.Philis.dll

This virus spreads via accessible shares (ADMIN$, IPC$) using blank ADMINISTRATOR and GUEST passwords.

The virus does not infect EXE  files in folders which have any of the following strings in their foldername:

• System
• System32
• Windows
• Document and Settings
• System Volume Information
• Recycled
• winnt
• Program Files
• Windows NT
• WindowsUpdate
• Windows Media Player
• Outlook Express
• Internet Explorer
• ComPlus Applications
• Netmeeting
• Common Files
• Messenger
• Microsoft Office
• InstallShield Installation Information
• MSN
• Microsoft Frontpage
• Movie Maker
• MSN Gaming Zone

The virus terminates the following processes if running in memory:

• RAVMON.EXE
• ZONEALARM
• EGHOST.EXE
• MAILMON.EXE
• KAVPFW.EXE
• IPARMOR.EXE
  

• Parasitically infected files, increasing in size by 62,976 bytes.
• Existence of the Registry key detailed above.

This is a prepending file virus which spreads via accessible shares (ADMIN$, IPC$) using blank ADMINISTRATOR and GUEST passwords.

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations