Discovered: March 26, 2004
Updated: March 31, 2004 3:54:29 PM
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
W32.HLLP.Philis is a virus that infects portable executable files. When an infected file is executed, the virus extracts the host file as <filename>.tmp and executes it. The virus also creates the following copy of itself:
%Windir%\SOS.exe
It then creates the following registry entries so that it executes every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SOS = %Windir%\SOS.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\SOS = %Windir%\SOS.exe
It also creates the following registry key:
HKEY_CURRENT_USER\Software\Classes\legend of mir
The virus infects portable executable files with a .exe extension by prepending its code to them.
Finally, the virus queries the registry to retrieve the user's Legend of Mir 2 authentication information. This information is then emailed to predetermined addresses.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine