Content
W32/HLLP.Hantaner.worm
- Type
- Virus
- SubType
- File Infector
- Discovery Date
- 12/05/2002
- Length
- 24064 bytes
- Minimum DAT
- 4237 (12/11/2002)
- Updated DAT
- 4306 (11/26/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 12/12/2002
- Description Modified
- 06/10/2003 11:01 AM (PT)
Tab Navigation
Characteristics
This file-infecting virus specifically targets files that are downloaded from the web.
When an infected file is run, it will infect only files with the suffix EXE that are in the download folders for either Internet Explorer or KaZaa. It will prepend the files it infects, regardless of whether they are truly executables, or just named as such.
The specific location for the download directories will differ from one system to the next. For example, for KaZaa, this is generally \Program Files\KaZaA\My Shared Folder. The download folder information is gleaned by the virus from the registry and if there are no download directories specified, the virus will not run.
Files may be corrupted during infection such that they will no longer run, or they may run but will not function correctly.
Symptoms
Change in file-size or date stamps on files in the KaZaa or Internet Explorer download directories.
Method of Infection
This virus does not go memory resident and does not make any references to itself in startup locations. To infect other files on a system, an infected file must be run. These infected files would most likely be spread by downloading shared files over the KaZaa network from an infected user's system.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- MultiDropper-EX
- W32.HLLP.Handy (NAV)
- W32/HLLP.Hantaner.A (F-Prot)
- Win32.HLLP.Hantaner (AVP)
Characteristics
Characteristics -
This file-infecting virus specifically targets files that are downloaded from the web.
When an infected file is run, it will infect only files with the suffix EXE that are in the download folders for either Internet Explorer or KaZaa. It will prepend the files it infects, regardless of whether they are truly executables, or just named as such.
The specific location for the download directories will differ from one system to the next. For example, for KaZaa, this is generally \Program Files\KaZaA\My Shared Folder. The download folder information is gleaned by the virus from the registry and if there are no download directories specified, the virus will not run.
Files may be corrupted during infection such that they will no longer run, or they may run but will not function correctly.
Symptoms
Symptoms -
Change in file-size or date stamps on files in the KaZaa or Internet Explorer download directories.
Method of Infection
Method of Infection -
This virus does not go memory resident and does not make any references to itself in startup locations. To infect other files on a system, an infected file must be run. These infected files would most likely be spread by downloading shared files over the KaZaa network from an infected user's system.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
