W32/Philis.ew is a file infecting virus. It scans for executable files in the infected machine and network shares to prepend them with its viral code.
4943 (2007-01-19)Updated DAT
W32/Philis.ew is a file infecting virus.
Upon execution, it copies itself to the "%windir%\uninstall" folder as "rundl132.exe".
Drops a dll "RichDll.dll" in the "%windir%" folder, this file is detected as W32/HLLP.Philis.dll.
Creates a file called "_desktop.ini" in the root directory. This file contains the date on which the virus was executed on that particular machine.
W32/Philis.ew adds the following registry key to load itself on system startup.
Also adds the following registry key
W32/Philis.ew scans the infected machine for executable files and prepends them with 63482 bytes of virus code. It does not infect files in the "%windir%" folder.
W32/Philis.ew scans for open shares on the network and infects executable files in those shares.
W32/HLLP.Philis.aw is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.