McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Galil

• W32/Lagel.A

• W32/SfxDeth.A-mm

• Worm/Holar.C

Characteristics

***Updated 12/4/2002 7:30PM PST***

This threat has an updated risk assessment of Low-Profiled due to the press article at New worm threatens files in Aust .

This virus spreads via email, mailing itself to addresses extracted from files on the victim machine. In testing, multiple copies of the virus attached to outgoing messages were sometimes observed (up to 4 attachments per message).

The virus arrives in a message formatted as follows:

The message body contains strings to fool the user into thinking the message is forwarded from a Yahoo account. Beneath the forwarded headers, the following text is present:

The icon associated with the message attachment uses the icon typically associated with a Shockwave Flash file:

The virus drops the following files when it is executed (where %SysDir% is the Windows system directory, for example C:\WINDOWS\SYSTEM32):

• %SysDir%\ILLEGAL.EXE (80,626 bytes) - dropper component
• %SysDir%\MPLAYER.EXE (13,824 bytes) - mailing component (UPXed)
• %SysDir%\SMTP.ocx (25,737 bytes) - library file (UPXed)

The dropper component displays the following message box:

Additionally the following window is displayed:

The following Registry key is set to run the mailing component at system startup:

This Registry hook is removed by cleaning with the indicated engine/DATs.

The virus also adds the following Registry key:

Manual removal of this key is required.

Additionally, strings within the virus suggest a destructive payload - the deletion of all files on drives D:, E:, F: and G:.

Symptoms

• appearance of above dialogs
• existence of the three files detailed above
• existence of the Registry keys detailed above
• outgoing messages matching description above

Method of Infection

The virus mails itself to email addresses extracted from the victim machine (temporary Internet folders).

The virus consists of 3 appended executables, making up a '3-file sandwich':

DROPPER | MAILER | SMTP library

(See the list of 3 dropped files detailed above.)

The dropper and mailer components are detected as W32/Holar.c@MM with the indicated engine/DATs.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Galil

• W32/Lagel.A

• W32/SfxDeth.A-mm

• Worm/Holar.C

Characteristics

Characteristics -

***Updated 12/4/2002 7:30PM PST***

This threat has an updated risk assessment of Low-Profiled due to the press article at New worm threatens files in Aust .

This virus spreads via email, mailing itself to addresses extracted from files on the victim machine. In testing, multiple copies of the virus attached to outgoing messages were sometimes observed (up to 4 attachments per message).

The virus arrives in a message formatted as follows:

The message body contains strings to fool the user into thinking the message is forwarded from a Yahoo account. Beneath the forwarded headers, the following text is present:

The icon associated with the message attachment uses the icon typically associated with a Shockwave Flash file:

The virus drops the following files when it is executed (where %SysDir% is the Windows system directory, for example C:\WINDOWS\SYSTEM32):

• %SysDir%\ILLEGAL.EXE (80,626 bytes) - dropper component
• %SysDir%\MPLAYER.EXE (13,824 bytes) - mailing component (UPXed)
• %SysDir%\SMTP.ocx (25,737 bytes) - library file (UPXed)

The dropper component displays the following message box:

Additionally the following window is displayed:

The following Registry key is set to run the mailing component at system startup:

This Registry hook is removed by cleaning with the indicated engine/DATs.

The virus also adds the following Registry key:

Manual removal of this key is required.

Additionally, strings within the virus suggest a destructive payload - the deletion of all files on drives D:, E:, F: and G:.

Symptoms

Symptoms -

• appearance of above dialogs
• existence of the three files detailed above
• existence of the Registry keys detailed above
• outgoing messages matching description above

Method of Infection

Method of Infection -

The virus mails itself to email addresses extracted from the victim machine (temporary Internet folders).

The virus consists of 3 appended executables, making up a '3-file sandwich':

DROPPER | MAILER | SMTP library

(See the list of 3 dropped files detailed above.)

The dropper and mailer components are detected as W32/Holar.c@MM with the indicated engine/DATs.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A