Content

W32/HLLP.Philis!447C3DBE

Type
Virus
SubType
-
Discovery Date
09/12/2008
Length
133723
Minimum DAT
5382 (09/11/2008)
Updated DAT
5382 (09/11/2008)
Minimum Engine
N/A
Description Added
09/12/2008
Description Modified
09/12/2008 2:38 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File Property Property Value
FileName 100_17~1.exe
McAfee Detection W32/HLLP.Philis
Length 133,723 bytes
CRC 447C3DBE
MD5 5726F6CDCE8055C548CE077F68754D63
SHA1 84BD5E0DC05BF8AAABD612D49DE59A37E6102E09

Other Common Detection Aliases

Company Name Detection Name
Avira TR/Crypt.XPACK.Gen
eSafe (Alladin) Suspicious File [100]
microsoft TrojanDownloader:Win32/Frethog.A
norman w32/viking.gen5
Sophos ~Sus/UnkPacker
vba32 MalwareScope.Worm.Viking.2

AvertŪ Labs has observed the following system activities:

Activity Risk Level
Uses shared memory of other processes
 Low
Writes executable in the windows folder
 Low
Registers DLLs Informational

Other detections that have been observed.

FileName McAfee Supported
%WINDIR%\help\eb6c4499b05f.dll
 PWS-OnlineGames.y.dll

This sample can be identified by the following symptoms.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\help\eb6c4499b05f.dll
  • %WINDIR%\help\eb6c4499b05f.exe

    The following registry elements have been created:

  • hkey_local_machine\software\classes\clsid\{1dbd6574-d6d0-4782-94c3-69619e719765}\
    • (default) = ssuudl
  • hkey_local_machine\software\classes\clsid\{1dbd6574-d6d0-4782-94c3-69619e719765}\inprocserver32\
    • (default) = c:\windows\help\eb6c4499b05f.dll
    • threadingmodel = apartment

    Symptoms

    This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    Method of Infection

    Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

    Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    File Property Property Value
    FileName 100_17~1.exe
    McAfee Detection W32/HLLP.Philis
    Length 133,723 bytes
    CRC 447C3DBE
    MD5 5726F6CDCE8055C548CE077F68754D63
    SHA1 84BD5E0DC05BF8AAABD612D49DE59A37E6102E09

    Other Common Detection Aliases

    Company Name Detection Name
    Avira TR/Crypt.XPACK.Gen
    eSafe (Alladin) Suspicious File [100]
    microsoft TrojanDownloader:Win32/Frethog.A
    norman w32/viking.gen5
    Sophos ~Sus/UnkPacker
    vba32 MalwareScope.Worm.Viking.2

    AvertŪ Labs has observed the following system activities:

    Activity Risk Level
    Uses shared memory of other processes
    		 Low
    Writes executable in the windows folder
    		 Low
    Registers DLLs Informational

    Other detections that have been observed.

    FileName McAfee Supported
    %WINDIR%\help\eb6c4499b05f.dll
    		 PWS-OnlineGames.y.dll

    This sample can be identified by the following symptoms.

    System Changes

    These are general defaults for typical path variables. (Although they may differ, these examples are common.):
    %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
    %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
    %ProgramFiles% = \Program Files

    The following files have been added to the system:

  • %WINDIR%\help\eb6c4499b05f.dll
  • %WINDIR%\help\eb6c4499b05f.exe

    The following registry elements have been created:

  • hkey_local_machine\software\classes\clsid\{1dbd6574-d6d0-4782-94c3-69619e719765}\
    • (default) = ssuudl
  • hkey_local_machine\software\classes\clsid\{1dbd6574-d6d0-4782-94c3-69619e719765}\inprocserver32\
    • (default) = c:\windows\help\eb6c4499b05f.dll
    • threadingmodel = apartment

    Symptoms

    Symptoms -

    This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    Method of Infection

    Method of Infection -

    Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

    Removal -

    Removal -

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A