This page shows details and results of our analysis on the malware W32/HLLP.Philis.ew


W32/Philis.ew is a file infecting virus. It scans for executable files in the infected machine and network shares to prepend them with its viral code.

Minimum Engine


File Length

Description Added


Description Modified


Malware Proliferation


W32/Philis.ew is a file infecting virus.

Upon execution, it copies itself to the "%windir%\uninstall" folder as "rundl132.exe".

Drops a dll "RichDll.dll" in the "%windir%" folder, this file is detected as W32/HLLP.Philis.dll.

Creates a file called "_desktop.ini" in the root directory. This file contains the date on which the virus was executed on that particular machine.

W32/Philis.ew adds the following registry key to load itself on system startup.


Also adds the following registry key


W32/Philis.ew scans the infected machine for executable files and prepends them with 63482 bytes of virus code. It does not infect files in the "%windir%" folder.

W32/Philis.ew scans for open shares on the network and infects executable files in those shares.


  • Modified executable files (change in size of exe files)
  • Presence of "RichDll.dll" in "%windir%" directory
  • Presence of registry entries as described
  • File named "_desktop.ini" in the root directory.

Method of Infection

W32/ is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.


A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.