Content

W32/HLLP.Philis.dm

Type
Virus
SubType
Parasitic
Discovery Date
12/28/2006
Length
Minimum DAT
4928 (12/28/2006)
Updated DAT
5275 (04/16/2008)
Minimum Engine
5.1.00
Description Added
12/28/2006
Description Modified
01/11/2007 9:03 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

W32/HLLP.Philis.dm is a file infecting virus.

On execution, it copies itself in %WinDir%\uninstall as rundl132.exe and adds a load registry entry to activate itself on reboot. It also creates the following registry entries:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
    • HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto: "1"

It drops a file named RichDll.dll (detected as W32/HLLP.Philis.dll) in %WinDir%. It then injects this dll in Explorer.exe process. This dll is responsible for opening a backdoor and also downloading game password stealing trojans from the following location:

    • down.down988.cn/[REMOVED]

W32/HLLP.Philis.dm searches for executable files and prepends its 58 KB viral code to target files. The prepending virus code is written using Borland Delphi.

The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it finds an active machine it sends an ICMP ping request and waits for a response. This ping request packet contains "Hello, World" string. After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine. If the virus is able to access a shared resource, it first copies "_desktop.ini" to the root of the share to mark the share as visited and then infects executables present in the share.

The virus terminates the following processes.

    • EGHOST.EXE
    • MAILMON.EXE
    • KAVPFW.EXE
    • IPARMOR.EXE
    • Ravmond.EXE
    • regsvc.exe
    • mcshield.exe

It also tries to stop the Kingsoft AntiVirus Service.

 

Symptoms

  • Modified executable files (change in size of exe files)
  • Presence of %WinDir%\RichDll.dll
  • Presence of registry entries as described

Method of Infection

W32/HLLP.Philis.dm is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/HLLP.Philis.dm is a file infecting virus. It searches for executable files on the infected machine to prepend its viral code. It is also responsible for dropping a dll file, which downloads game password stealing trojans.

 

Aliases

  • PE_LOOKED.DY-O (Trend Micro)
  • W32.Looked.P (Symantec)
  • Worm.Win32.Viking.ea (Kaspersky)

Characteristics

Characteristics -

W32/HLLP.Philis.dm is a file infecting virus.

On execution, it copies itself in %WinDir%\uninstall as rundl132.exe and adds a load registry entry to activate itself on reboot. It also creates the following registry entries:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
    • HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto: "1"

It drops a file named RichDll.dll (detected as W32/HLLP.Philis.dll) in %WinDir%. It then injects this dll in Explorer.exe process. This dll is responsible for opening a backdoor and also downloading game password stealing trojans from the following location:

    • down.down988.cn/[REMOVED]

W32/HLLP.Philis.dm searches for executable files and prepends its 58 KB viral code to target files. The prepending virus code is written using Borland Delphi.

The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it finds an active machine it sends an ICMP ping request and waits for a response. This ping request packet contains "Hello, World" string. After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine. If the virus is able to access a shared resource, it first copies "_desktop.ini" to the root of the share to mark the share as visited and then infects executables present in the share.

The virus terminates the following processes.

    • EGHOST.EXE
    • MAILMON.EXE
    • KAVPFW.EXE
    • IPARMOR.EXE
    • Ravmond.EXE
    • regsvc.exe
    • mcshield.exe

It also tries to stop the Kingsoft AntiVirus Service.

 

Symptoms

Symptoms -

  • Modified executable files (change in size of exe files)
  • Presence of %WinDir%\RichDll.dll
  • Presence of registry entries as described

Method of Infection

Method of Infection -

W32/HLLP.Philis.dm is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A