W32/HLLP.Philis.ew

W32/Philis.ew is a file infecting virus.

Upon execution, it copies itself to the "%windir%\uninstall" folder as "rundl132.exe".

Drops a dll "RichDll.dll" in the "%windir%" folder, this file is detected as W32/HLLP.Philis.dll.

Creates a file called "_desktop.ini" in the root directory. This file contains the date on which the virus was executed on that particular machine.

W32/Philis.ew adds the following registry key to load itself on system startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"load"="%windir%\\uninstall\\rundl132.exe"

Also adds the following registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW
"auto"="1"

W32/Philis.ew scans the infected machine for executable files and prepends them with 63482 bytes of virus code. It does not infect files in the "%windir%" folder.

W32/Philis.ew scans for open shares on the network and infects executable files in those shares.

• Modified executable files (change in size of exe files)
• Presence of "RichDll.dll" in "%windir%" directory
• Presence of registry entries as described
• File named "_desktop.ini" in the root directory.
  

W32/HLLP.Philis.aw is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.