Content
W32/HLLP.Philis.ew
- Type
- Virus
- SubType
- Parasitic
- Discovery Date
- 01/19/2007
- Length
- Minimum DAT
- 4943 (01/19/2007)
- Updated DAT
- 5275 (04/16/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 01/19/2007
- Description Modified
- 01/22/2007 12:01 AM (PT)
Tab Navigation
Characteristics
W32/Philis.ew is a file infecting virus.
Upon execution, it copies itself to the "%windir%\uninstall" folder as "rundl132.exe".
Drops a dll "RichDll.dll" in the "%windir%" folder, this file is detected as W32/HLLP.Philis.dll.
Creates a file called "_desktop.ini" in the root directory. This file contains the date on which the virus was executed on that particular machine.
W32/Philis.ew adds the following registry key to load itself on system startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"load"="%windir%\\uninstall\\rundl132.exe"
Also adds the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW
"auto"="1"
W32/Philis.ew scans the infected machine for executable files and prepends them with 63482 bytes of virus code. It does not infect files in the "%windir%" folder.
W32/Philis.ew scans for open shares on the network and infects executable files in those shares.
Symptoms
- Modified executable files (change in size of exe files)
- Presence of "RichDll.dll" in "%windir%" directory
- Presence of registry entries as described
- File named "_desktop.ini" in the root directory.
Method of Infection
W32/HLLP.Philis.aw is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.
Removal
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Variants
Variants
N/A
All Information
Overview -
W32/Philis.ew is a file infecting virus. It scans for executable files in the infected machine and network shares to prepend them with its viral code.
Aliases
- W32.Looked.P (Symantec)
- W32/Looked-BL (Sophos)
- Worm.Win32.Viking.fe (Kaspersky)
Characteristics
Characteristics -
W32/Philis.ew is a file infecting virus.
Upon execution, it copies itself to the "%windir%\uninstall" folder as "rundl132.exe".
Drops a dll "RichDll.dll" in the "%windir%" folder, this file is detected as W32/HLLP.Philis.dll.
Creates a file called "_desktop.ini" in the root directory. This file contains the date on which the virus was executed on that particular machine.
W32/Philis.ew adds the following registry key to load itself on system startup.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"load"="%windir%\\uninstall\\rundl132.exe"
Also adds the following registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW
"auto"="1"
W32/Philis.ew scans the infected machine for executable files and prepends them with 63482 bytes of virus code. It does not infect files in the "%windir%" folder.
W32/Philis.ew scans for open shares on the network and infects executable files in those shares.
Symptoms
Symptoms -
- Modified executable files (change in size of exe files)
- Presence of "RichDll.dll" in "%windir%" directory
- Presence of registry entries as described
- File named "_desktop.ini" in the root directory.
Method of Infection
Method of Infection -
W32/HLLP.Philis.aw is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
