McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

-- Update December 28, 2007 --

A new variant of VBS/Psyme has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto.  For more information on this threat, please see the Avert Blog.

-- Updated October 8, 2006 --

Recently, this threat was proactively detected on a major Korean website. The exploit was hidden in an legitimate webpage believed to have been subjected to unauthorised modifications. Similar incidents had been reported before, on other relatively less known websites.

This threat causes unpatched Internet Explorer clients to download and execute further malware from:

•  www6.iirs.net/(hidden)

This file is installed in:

• %Temp%\102084.exe (W32/HLLP.Philis installer at the time of writing)

Using the current DATs in VirusScan with ScriptScan enabled protects against this threat. Customer are reminded to ensure that the latest security patches from the vendor for Internet Explorer are installed.

This trojan exploits an unpatched (at the time of this writing) vulnerability in Internet Explorer.  The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object.  There are several variants of this trojan.  Therefore this description is design to give an overview of how the trojan works.

The trojan exists as VBScript.  This script contains instructions to download a remote executable, save it to a specified location on the local disk, and then execute it.

Symptoms

Unexpected file creation.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update December 28, 2007 --

A new variant of VBS/Psyme has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto.  For more information on this threat, please see the Avert Blog.

-- Updated October 8, 2006 --

Recently, this threat was proactively detected on a major Korean website. The exploit was hidden in an legitimate webpage believed to have been subjected to unauthorised modifications. Similar incidents had been reported before, on other relatively less known websites.

This threat causes unpatched Internet Explorer clients to download and execute further malware from:

•  www6.iirs.net/(hidden)

This file is installed in:

• %Temp%\102084.exe (W32/HLLP.Philis installer at the time of writing)

Using the current DATs in VirusScan with ScriptScan enabled protects against this threat. Customer are reminded to ensure that the latest security patches from the vendor for Internet Explorer are installed.

This trojan exploits an unpatched (at the time of this writing) vulnerability in Internet Explorer.  The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object.  There are several variants of this trojan.  Therefore this description is design to give an overview of how the trojan works.

The trojan exists as VBScript.  This script contains instructions to download a remote executable, save it to a specified location on the local disk, and then execute it.

Symptoms

Symptoms -

Unexpected file creation.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A