|
       
 |
|
| Security News The Latest Computer Security News |
  |
|
W32/HLLP.Philis.ew
|
LinkBack | Thread Tools | Display Modes |
22-Jan-2007, 04:44 AM
|
#1 (permalink) |
|
Administrator
Posts: 18,715
Join Date: Jan 2006
Rep Power: 10
IM:
|
W32/HLLP.Philis.ew
Risk Assessment - Home Users: Low - Corporate Users: Low Date Discovered: 1/19/2007 Date Added: 1/19/2007 Origin: N/A Length: N/A Type: Virus SubType: Parasitic DAT Required: 4943 Virus Family Statistics (over the past 30 days) Virus Name Infected Files Scanned Files % Infected Computers  HLLP 8 282,057 0.00  HLLP.10000a 3 8,770 0.00 HLLP.10217 0 0 0.00 HLLP.11652 0 0 0.00 HLLP.13040 0 0 0.00 HLLP.15392 0 0 0.00 HLLP.3327 3 8,770 0.00 HLLP.4629 0 0 0.00 HLLP.4665 0 0 0.00 HLLP.4676 0 0 0.00 HLLP.4720 0 0 0.00 HLLP.4745 0 0 0.00 HLLP.4745b 0 0 0.00 HLLP.4745c 5 282,057 0.00 HLLP.4999 0 0 0.00 HLLP.5000a 0 0 0.00 HLLP.5153 0 0 0.00 HLLP.5667 0 0 0.00 HLLP.5792 0 0 0.00 HLLP.5844 0 0 0.00 HLLP.5846a 0 0 0.00 HLLP.6253 0 0 0.00 HLLP.6279 0 0 0.00 HLLP.6425 0 0 0.00 HLLP.6549 0 0 0.00 HLLP.7128 0 0 0.00 HLLP.7296 3 8,770 0.00 HLLP.7408 26 565,675 0.00 HLLP.7720 0 0 0.00 HLLP.7792a 0 0 0.00 HLLP.7792b 0 0 0.00 HLLP.7929 0 0 0.00 HLLP.7940 0 0 0.00 HLLP.8192a 0 0 0.00 HLLP.8192b 0 0 0.00 HLLP.8192c 0 0 0.00 HLLP.8304a 0 0 0.00 HLLP.8688 0 0 0.00 HLLP.9312 0 0 0.00 HLLP.Ale 3 8,770 0.00 HLLP.GR1 11 282,057 0.00 HLLP.Nazi.4415 3 8,770 0.00 HLLP.Vova.a 0 0 0.00 HLLP.Vova.b 0 0 0.00 W32/HLLP 13 499,766 0.00 W32/HLLP.14336a 1 8 0.00 W32/HLLP.17408a 4 10,376 0.00 W32/HLLP.18432 0 0 0.00 W32/HLLP.49110 0 0 0.00 W32/HLLP.dr 5 35,024 0.00 W32/HLLP.Giwin 0 0 0.00 Virus CharacteristicsW32/Philis.ew is a file infecting virus. Upon execution, it copies itself to the "%windir%\uninstall" folder as "rundl132.exe". Drops a dll "RichDll.dll" in the "%windir%" folder, this file is detected as W32/HLLP.Philis.dll. Creates a file called "_desktop.ini" in the root directory. This file contains the date on which the virus was executed on that particular machine. W32/Philis.ew adds the following registry key to load itself on system startup. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run "load"="%windir%\\uninstall\\rundl132.exe" Also adds the following registry key HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW "auto"="1" W32/Philis.ew scans the infected machine for executable files and prepends them with 63482 bytes of virus code. It does not infect files in the "%windir%" folder. W32/Philis.ew scans for open shares on the network and infects executable files in those shares. Indications of Infection
W32/HLLP.Philis.aw is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives. Removal Instructions A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files. Additional Windows ME/XP removal considerations Aliases W32.Looked.P (Symantec), W32/Looked-BL (Sophos), Worm.Win32.Viking.fe (Kaspersky) |
|
        
|
|
|
|
| |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
