Content

W32/HLLP.Philis.ar

Type
Virus
SubType
Parasitic
Discovery Date
08/14/2006
Length
32,021 bytes
Minimum DAT
4829 (08/14/2006)
Updated DAT
5200 (01/04/2008)
Minimum Engine
5.1.00
Description Added
08/14/2006
Description Modified
08/29/2006 8:21 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/HLLP.Philis.ar is a file infecting virus.

On execution, it copies itself in %Windir% as rundll32.exe and adds a load registry entry to activate itself on reboot. It also creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto: "1"


It drops a file named viDll.dll (detected as W32/HLLP.Philis.dll) in C:\ directory. It then injects this dll in Explorer.exe process. This dll is responsible for opening a backdoor and also downloading other password stealing trojans such as PWS-Lineage from the following locations:

  • h.mt12.net/xz/[REMOVED]
  • www.itemgame.net/new/mxd/[REMOVED]
  • www.itemgame.net/new/xz/[REMOVED]

W32/HLLP.Philis.ar searches for executable files and prepends its viral code to target files. It adds its 32KB code in front of the original file, so whenever that file is executed the virus is also executed. The prepending virus code is written using Borland Delphi.

It tends to infect files with the following file names:

  • setup.exe
  • install.exe
  • my.exe
  • EXCEL.EXE
  • WINWORD.EXE
  • msnmsgr.exe
  • msimn.exe
  • NATEON.exe
  • editplus.exe
  • QQ.exe
  • Winrar.exe
  • Thunder.exe
  • ThunderShell.exe
  • flashget.exe
  • TTPlayer.exe
  • realplay.exe
  • foxmail.exe
  • Uedit32.exe
  • ACDSee4.exe
  • ACDSee5.exe
  • ACDSee6.exe
  • GameClient.exe
  • AgzNew.exe
  • Patcher.exe
  • MHAutoPatch.exe
  • Mu.exe
  • Silkroad.exe
  • BNUpdate.exe
  • jxonline_t.exe
  • FSOnline.exe
  • run.exe
  • AutoUpdate.exe
  • Ragnarok.exe
  • launcher.exe
  • autoupdate.exe
  • Datang.exe
  • LineageII.exe
  • Archlord.exe
  • woool.exe
  • zfs.exe
  • patchupdate.exe
  • NSStarter.exe
  • Mir.exe
  • lineage.exe

The virus creates files with the name "_desktop.ini" in every folder that it visits while looking for executable files to infect. This is created as a hidden system file and contains the date on which virus was executed to visit the folder in which the file resides. The date is shown in yyyy/mm/dd format.

The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it find an active machine it sends an ICMP ping request and waits for a response. This ping request packet contains "Hello, World" string. After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine. If the virus is able to access a shared resource, it first copies "_desktop.ini" to the root of the share to mark the share as visited and then infects executables present in the share. While infecting executables via a network share the virus does not limit itself to infecting specific file names as mentioned above.
In the case of a shared printer, the viruses' infection routine effectively creates printer job to print the date as contained in "_desktop.ini" file that the virus tries to copy.

Symptoms

  • Modified executable files (change in size of exe files)
  • Presence of C:\viDll.dll
  • Presence of registry entries as described
  • Presence of hidden system files named _desktop.ini in many folders.

Method of Infection

W32/HLLP.Philis.ar is a file infecting virus. Infection starts with manual execution of the binary which may rely on improperly configured/protected (open) shared drives.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/HLLP.Philis.ar is a file infecting virus. It searches for executable files on the infected machine to prepend its viral code.

It is also responsible for dropping a dll file, which downloads password stealing trojans from various websites.

Aliases

  • Infostealer.Lineage (Symantec)
  • PE_LOOKED.BI (Trend Micro)
  • Trojan-PSW.Win32.Lineage.ahd (Kaspersky)

Characteristics

Characteristics -

W32/HLLP.Philis.ar is a file infecting virus.

On execution, it copies itself in %Windir% as rundll32.exe and adds a load registry entry to activate itself on reboot. It also creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto: "1"


It drops a file named viDll.dll (detected as W32/HLLP.Philis.dll) in C:\ directory. It then injects this dll in Explorer.exe process. This dll is responsible for opening a backdoor and also downloading other password stealing trojans such as PWS-Lineage from the following locations:

  • h.mt12.net/xz/[REMOVED]
  • www.itemgame.net/new/mxd/[REMOVED]
  • www.itemgame.net/new/xz/[REMOVED]

W32/HLLP.Philis.ar searches for executable files and prepends its viral code to target files. It adds its 32KB code in front of the original file, so whenever that file is executed the virus is also executed. The prepending virus code is written using Borland Delphi.

It tends to infect files with the following file names:

  • setup.exe
  • install.exe
  • my.exe
  • EXCEL.EXE
  • WINWORD.EXE
  • msnmsgr.exe
  • msimn.exe
  • NATEON.exe
  • editplus.exe
  • QQ.exe
  • Winrar.exe
  • Thunder.exe
  • ThunderShell.exe
  • flashget.exe
  • TTPlayer.exe
  • realplay.exe
  • foxmail.exe
  • Uedit32.exe
  • ACDSee4.exe
  • ACDSee5.exe
  • ACDSee6.exe
  • GameClient.exe
  • AgzNew.exe
  • Patcher.exe
  • MHAutoPatch.exe
  • Mu.exe
  • Silkroad.exe
  • BNUpdate.exe
  • jxonline_t.exe
  • FSOnline.exe
  • run.exe
  • AutoUpdate.exe
  • Ragnarok.exe
  • launcher.exe
  • autoupdate.exe
  • Datang.exe
  • LineageII.exe
  • Archlord.exe
  • woool.exe
  • zfs.exe
  • patchupdate.exe
  • NSStarter.exe
  • Mir.exe
  • lineage.exe

The virus creates files with the name "_desktop.ini" in every folder that it visits while looking for executable files to infect. This is created as a hidden system file and contains the date on which virus was executed to visit the folder in which the file resides. The date is shown in yyyy/mm/dd format.

The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it find an active machine it sends an ICMP ping request and waits for a response. This ping request packet contains "Hello, World" string. After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine. If the virus is able to access a shared resource, it first copies "_desktop.ini" to the root of the share to mark the share as visited and then infects executables present in the share. While infecting executables via a network share the virus does not limit itself to infecting specific file names as mentioned above.
In the case of a shared printer, the viruses' infection routine effectively creates printer job to print the date as contained in "_desktop.ini" file that the virus tries to copy.

Symptoms

Symptoms -

  • Modified executable files (change in size of exe files)
  • Presence of C:\viDll.dll
  • Presence of registry entries as described
  • Presence of hidden system files named _desktop.ini in many folders.

Method of Infection

Method of Infection -

W32/HLLP.Philis.ar is a file infecting virus. Infection starts with manual execution of the binary which may rely on improperly configured/protected (open) shared drives.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A