W32/HLLP.Philis.ew

This page shows details and results of our analysis on the malware W32/HLLP.Philis.ew

Overview

W32/Philis.ew is a file infecting virus. It scans for executable files in the infected machine and network shares to prepend them with its viral code.


Minimum DAT

4943 (2007-01-19)

Updated DAT

5275 (2008-04-16)

Minimum Engine

5400.1158

File Length

Description Added

2007-01-19

Description Modified

2007-01-22

Malware Proliferation

Characteristics

W32/Philis.ew is a file infecting virus.

Upon execution, it copies itself to the "%windir%\uninstall" folder as "rundl132.exe".

Drops a dll "RichDll.dll" in the "%windir%" folder, this file is detected as W32/HLLP.Philis.dll.

Creates a file called "_desktop.ini" in the root directory. This file contains the date on which the virus was executed on that particular machine.

W32/Philis.ew adds the following registry key to load itself on system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"load"="%windir%\\uninstall\\rundl132.exe"

Also adds the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW
"auto"="1"

W32/Philis.ew scans the infected machine for executable files and prepends them with 63482 bytes of virus code. It does not infect files in the "%windir%" folder.

W32/Philis.ew scans for open shares on the network and infects executable files in those shares.

Symptoms

  • Modified executable files (change in size of exe files)
  • Presence of "RichDll.dll" in "%windir%" directory
  • Presence of registry entries as described
  • File named "_desktop.ini" in the root directory.

Method of Infection

W32/HLLP.Philis.aw is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

 

Variants