W32.HLLW.Oror@mm

Printer Friendly Page

Discovered: August 27, 2002
Updated: February 13, 2007 11:40:10 AM
Type: Worm
Systems Affected: Windows


W32.HLLW.Oror@mm is a mass-mailing worm that sends itself to all email senders that it finds in incoming messages. The worm also spreads using mIRC, network shares, and mapped drives. It will attempt to close windows and delete files of various antivirus and firewall programs.

The email message arrives with the following characteristics:

Subject:  The subject line can be one of the following,

  • Zdrasti..
  • Ohoo!!
  • Pisamce
  • Liubofta e kato Rai, no moje da boli kato Ad
  • TinKi WinKy!!
  • HeY :)
  • ZzZz :)
  • Vajno!!
  • Blondinkii:)
  • Hi BaBy :)
  • HeY..
  • aBcDeFgHiJkLmNoPqRsT..
  • Don't cry
  • Very Important
  • Miracle
  • LOVE is like HEAVEN but it can hurt like HELL.
  • Blondies Forever :)
  • Hi!!
  • WoWoWoWOWowo..
  • yoOo ;)

Attachment: The attachment can be one of the following,
  • Love Zodiak.exe
  • TNT!CC gEN.exe
  • Panda Anti-Worm.exe
  • Blondies.exe
  • mTV Charts.exe
  • Setup.exe
  • Osama Your Mamma.exe
  • [TNT]!CC geN.exe
  • Sorry.exe
  • Magic.exe
  • Love.exe
  • Zodiak.exe
  • mTV.exe
  • Faith.exe
  • Kama Sutra.exe
  • Fun.exe
  • Smile.exe
  • Pamela.exe
  • Candy.exe


Antivirus Protection Dates

  • Initial Rapid Release version August 28, 2002
  • Latest Rapid Release version March 23, 2017 revision 037
  • Initial Daily Certified version August 28, 2002
  • Latest Daily Certified version March 23, 2017 revision 041
  • Initial Weekly Certified release date August 28, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Yana Liu

Discovered: August 27, 2002
Updated: February 13, 2007 11:40:10 AM
Type: Worm
Systems Affected: Windows


When W32.HLLW.Oror@mm runs, it does the following:

It displays the following fake message:



It copies itself as C:\%windir%\Rundll16.exe.

It adds the value

LoadCurrentProfile Rundll16.exe powprof.dll,LoadCurrentUserProfile

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

NOTE : %windir% is a variable. The worm locates the \Windows folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It randomly chooses a file name from the C:\%system%\ folder and copies itself as one of the following:

  • C:\%system%\<the chosen file name plus "2k">.exe
  • C:\%system%\<the chosen file name plus "16">.exe
  • C:\%system%\<the chosen file name plus "32">.exe

For example, if the worm finds the file C:\Windows\System\Netapi.exe, it may copy itself as C:\Windows\System\Netapi16.exe.

NOTE: %System% is a variable. The worm locates the Windows System folder (by default this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location.

It inserts the following section into C:\Windows\Win.ini to cause this copy to run when you restart Windows 95/98/Me:

[windows]
run=C:\%System%\<the worm file>

The worm randomly chooses a subfolder in the C:\%ProgramFiles%\ folder and copies itself to this subfolder using the subfolder name plus "2k", "16", or "32" as its file name. It then adds a value that refers to this copy to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

For example, if the worm finds the subfolder C:\Program Files\Internet Explorer, it may copy itself as C:\Program Files\Internet Explorer\Internet Explorer2k.exe, and add the value

Internet Explorer C:\Program Files\Internet explorer\Internet Explorer2K.exe

to the registry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

NOTE: C:\%ProgramFiles%\ is a variable. The worm locates the Program Files folder (by default this is C:\Program Files) and copies itself to a randomly chosen subfolder under that location.

The worm may create the following files:
  • C:\%windir%\Winfile.dll
  • C:\~msdos.---
  • C:\%windir%\Def12x.dll
  • C:\%windir%\Rn3a.vxd

NOTE: These files are all text files. They are not viral by themselves; therefore, Symantec antivirus products do not detect them. You will need to delete the files manually.

The worm shuts down all windows whose titles contain any of the following strings:
  • black
  • panda
  • shield
  • scan
  • mcafee
  • labs
  • zone
  • alarm
  • agent
  • avp
  • msie
  • navap
  • mstask
  • webcheck
  • iomon
  • nai_vs_stat
  • virus

The worm also searches for folders and subfolders that contain the following strings. It deletes all files in any these folders that it finds:
  • labs and zone
  • kaspers
  • mcafee
  • panda
  • avp
  • pc
  • cillin
  • black and ice
  • norton and virus

The worm sends itself to all email addresses that it finds in incoming messages. It uses current default email program to spread itself. The worm sends itself in one of the following email message:

Subject:   Zdrasti..
Message:
Hey, kak
, ujas mi e toplo daji smqtam ei sq da si farlq edin dush che ne sa disha :) Skoro shti pratq onva det obeshtah, za sq mojesh da hvarlish edno oko na %s

Subject:  Ohoo!!
Message:  
Yoo, kak e havata, v momenta se 4ustvam mnoo qko i reshih da pisha na priqtelite :) nabarah edin mnoo zdrav site, %s  - Cool a? Aide chakam otgovor :)

Subject: Pisamce
Message:  
Neska mi se slu4iha kup neshta :)  Oshte ot sutrinta adski mi varvi, shte vzema da pusna edin fish ~~P V takova dobro nastroenie sam 4e reshih da vi pisha. Pri teb kak e, Neshto novo ima li? Osven vsi4ko ti pratih i iznenadka, sled kato q instalirash si vij shti sa poqvi mnoo qka madama v Tray-a :) I naposledak poshtata mi stoi tajno prazna tai che ... :)) Doskoro

Subject:  TinKi WinKy!!
Message:  
Zdrasti, trqq da proveda edin razgovor s dosta hora, ama shi vidim koga sha stane tova, naistina imam da kazvam mnogo neshta .. Ako imash i ti neshto da mi kazvash, ne se kolebai, a napishi edno pisamce. Vqrvai v me4tite si i gledai napred :))
 P.S. Pogledni attachmenta i vij dali shti dopadne :)) Kefi li te? Az mnoo mu sa radvah ;)) Bye

Subject:  HeY :)
Message:
Tiriritam tiriram :)) zDraVeI, neshto novo?? :) Kak varvi lqtoto? Plaj, basein, kuponi :) Beshe mi skuchno i si vikam shto da ne napisha nqkoi drugo pismo :> Kakvoto i da stava da jivee lqtoto i nie pokrai nego ~~~PpPpPp. Vij iznendkata ~pP Aide i chakam..

Subject:  HeY..
Message:
HeY.. Buddz what'z up :) How are you? I'm fine, 10x!! My friend Nina is here and we are.. You know :) Lalala !! I've just wanted to tell you. Btw check this site - %s, it's kewl :)) Cya

Subject:  aBcDeFgHiJkLmNoPqRsT..
Message:
Hi, Don't forget about MAL"F" :) And don't tell anybody :Ppp have you seen this site? It's very interesting!! :) %s .. Leave this away, how are you? Send me sth cool, plzz :) bye! :)

Subject:  Miracle
Message:  
All I need is a miracle, all i need is love.. YeS. That's true i love you my friends :) If you are wondering why I am so happy - i'll tell you - I am enga.. oOps, later..Bye and uhh unzip the attachment. It's the best joke, i've ever seen. Bye, see ya :)

Subject:  Don't cry
Message:
It won't be easy, you think it's strange, when I try to explain how i feel and I still want your love after all I have done. You won't believe me.. I had to let it happen, i had to change.. Hey, just kiddin' :) Madonna - "Don't cry" I've just wanted to .. Infact I don't know nothing i don't want to know anything :))) Do you like the funny program :) I'm waiting for the reply :>> Bye

Attachment: The attachment to any of these messages can be any of these files:
  • Magic.exe
  • Love.exe
  • Zodiak.exe
  • mTV.exe
  • Faith.exe
  • Kama Sutra.exe
  • Fun.exe
  • Smile.exe
  • Pamela.exe
  • Candy.exe

Alternatively, the email message may be one of these:

Subject:  Liubofta e kato Rai, no moje da boli kato Ad
Message:  
Zdr, izpratih na vsichki edna programka, mnoo qka, btw to imeto si pokazva. Subject-a e ot tam i ima i drugi mnogo qki misli. Moje da pokaje nai-podhodqshtiq partnior v liubofta :)) Ujasno e kak liubofta moje da ubie vsichko v teb.. Za shtastie ne vinagi e taka :) Bye !!
Attachment: Love Zodiak.exe

Subject:  ZzZz :)
Message:  
Zdrasti, kak q karash :) az sam dobre, makar che naposledak imam malko problemi. Tvarde mnogo mi se strupa navednaj, mai i rakata mi e s4upena.. Kvo da se pravi, takav e jivota.. Vchera namerih nqkav generator na kreditni karti i mai bachka, samo edin go probvah ama stana, vij dali pri teb sha raboti i umnata :) I ne zabravqi che "Liuboftaa e po cennaa ot vsi4ko" :)) Chao ti
Attachment: TNT!CC gEN.exe

Subject:  Vajno!!
Message:  
Ima nov opasen virus v neta! Razprostranqva se predimno po IRC i ICQ. Vnimavai da ne se zarazish, zashtoto iztriva Mp3-ki, Filmi i Dokumenti. Izpratih ti patch, koqto shte te zashtiti ot zarazqvane. Iskah da napisha po-dulgo pismo, no nqmah vreme, sorka :( Naposledak imam adski mnogo rabota nalqvo nadqsno :)) Inache kak varvi? Aide doskoro i watch out :)))
Attachment: Panda Anti-Worm.exe

Subject:  Blondinkii:)
Message :
Namerih edna mnoo qka programka i neznam zashto, no mi napomni za teb :)
Kakvo pravi blondinka kato rodi bliznaci? - Chudi se koi e vtoriq tatko :)
Kakva e razlikata mejdu 10 ovce i 3 blondinki? Otgovor: 7
Kak mojesh da razsmeesh blondinka v petak? - Kato i razkajesh vic vav vtornik :)
Zdrasti! kak si :) Kefqt li ta vicovete? Shegichka de :) Pratih ti q. Razkazva ti qki vicove za blondinki na 5 minuti :) Posmqh se za baq vreme napred :))) Bye, doskoro, i po chesto v chata, chao :}
Attachment: Blondies.exe

Subject:  Hi BaBy :)
Message:  
Hi baby, kak e :) ko si praikash? az si slusham muzichka - ATC i Mortal Kombat Soundtrack - Varhovni sa, napravo izbuhnah :))) Drapnah si gi ot neta s taq programka - ima 200 kubriliona klasacii :) Naposledak muzikata e edno ot malkoto mi udovolstviq
P.S. Obezatelno si drapni ATC - Why oh why.mp3 :))
Chao, doskoro!!
Attachment: mTV Charts.exe

Subject:  Very Important
Message:  
There is a very dangerous virus circulating in the net. It's called RoRo and it's using IRC to infect computers. This virus deletes movies, music and corrupt your windows installation. To prevent from infecting, install McAfee Anti-Script 2002. It's a 30-days demo..
So, how are you? Good, Bad? I'm oK. I wanted to write you a longer letter, but i didn't have enough time.. sorry. Bye
Attachment: Setup.exe

Subject:  LOVE is like HEAVEN but it can hurt like HELL.
Message:  
I've just found this program, and, I don't know why... but it reminded me of you. I read this there. There are cool ideas, especially about lOvE. i like it, but let's talk about you? Are you oK? Are you in love :))) I'm waiting for the replyyy :)) bye ~pPpP
Attachment: Love Zodiak.exe

Subject:  Blondies Forever :)
Message:
Hiya :) I've just wannted to send you these jokes
 - What do blondes wear behind their ears to attract men? Their ankles!!
 - Why did god invent the female orgasm? So blondes know when to stop screwing!!
 - What's the difference between a blonde and aeroplane? Not everyone's been in a aeroplane!
 - What is a blond with hair black colored? Artificial intelligence!
Attachment: Blondies.exe

Subject:  Hi!!
Message:
Hi baby :)) Whatz Uppp :)) I'm feelin extra power cause i got high in the sky :) sMiLe :oP~pPPPpp Where are you? What are you doing? I send you a c00l flAsh :) See you soon :)) Bye Bye
Attachment: Osama Your Mamma.exe

Subject: WoWoWoWOWowo..
Message:
Hi again.. You can't guess what i've found.. Finally i've found a working Credit Card generator!! I'm the richest man in the net :)) Don't tell or send it to anybody! How are you? What're you doing?
 Bye..
Attachment: Sorry.exe

Subject:  yoOo ;)
Message:
YoOo :)) What a nice day, what a nice time :) What a nice world :)) Do you have any ATC's mp3z? eXtreemly cool :) I've found them with this program, it's like Napster, but it's legal :))
 P.S. Download ATC - Why oh why.mp3 !!! Bye ~~~~ppPpP ;)
Attachment: mTV Charts.exe

The worm can copy itself to network shares and mapped drives by using the following file names:
  • Kama Sutra.exe
  • GiRlZ FoReVeR (Wow).exe
  • Nikita v1.1 (Zip).exe
  • Pamela Anderson (Porno Installation).exe
  • Britney Spears Naked.exe
  • Teen Sex Cam.exe
  • Kurnikova Screensaver (6+).exe
  • CrEdIt CaRdZ gEn.exe
  • SeX.eXe
  • Faith.exe

By overwriting mIRC script files, the worm also sends itself to mIRC users.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Yana Liu

Discovered: August 27, 2002
Updated: February 13, 2007 11:40:10 AM
Type: Worm
Systems Affected: Windows


NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Reinstall Symantec antivirus product files if the worm deleted them.
  2. Update the virus definitions, run a full system scan, and delete all files that are detected as W32.HLLW.Oror@mm.
  3. Delete the value

    LoadCurrentProfile Rundll16.exe powprof.dll,LoadCurrentUserProfile

    from the registry key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Delete from the following registry key any values that refer to any worm files:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  5. Remove the text that the worm added to C:\Windows\Win.ini (Windows 95/98/Me only).
  6. Delete the following files if they exist:
    • C:\%windir%\Winfile.dll
    • C:\~msdos.---
    • C:\%windir%\Def12x.dll
    • C:\%windir%\Rn3a.vxd

For details on how to do this, read the following instructions.

To reinstall the antivirus software:
Attempt to start your Symantec antivirus software; for example, Norton AntiVirus. If it does not open, or if it does not function correctly, reinstall it from the original installation CD or downloaded files.

To scan for and delete the infected files:
  1. Obtain the most recent virus definitions. There are two ways to do this:
    • Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
    • Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

      Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
  2. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
  3. Run a full system scan.
  4. If any files are detected as infected with W32.HLLW.Oror@mm, write down the file names and then click Delete.

To delete the values that the worm added to the registry:

CAUTION : Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.
  1. Click Start, and click Run. The Run dialog box appears.
  2. Type regedit and then click OK. The Registry Editor opens.
  3. Navigate to the key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, delete these values:

    LoadCurrentProfile Rundll16.exe powprof.dll,LoadCurrentUserProfile
    Any value that refers to the file that was detected as infected and then deleted
  5. Exit the Registry Editor.

To remove the text that the worm added to C:\Windows\Win.ini (Windows 95/98/Me only):

NOTE: (For Windows Me users only) Due to the file-protection process in Windows Me, a backup copy of the file that you are about to edit exists in the C:\Windows\Recent folder. Symantec recommends that you delete this file before you continue with the steps in this section. To do this using Windows Explorer, go to C:\Windows\Recent, and in the right pane select the Win.ini file and delete it. It will be regenerated as a copy of the file that you are about to edit when you save your changes to that file.
  1. Click Start, and click Run.
  2. Type the following, and then click OK.

    edit c:\windows\win.ini

    The MS-DOS Editor opens.

    NOTE: If Windows is installed in a different location, make the appropriate path substitution.
  3. In the [windows] section of the file, look for an entry that is similar to

    run=C:\%system%\<the worm file>
  4. Select the entire line. Be sure that you have not selected any other text, and then press Delete.
  5. Click File, and click Save.
  6. Click File, and click Exit.

To delete the text files that the worm created:
(Optional; these files are not viral). Use Windows Explorer to locate and delete these files if they exist:
    • C:\%windir%\Winfile.dll
    • C:\~msdos.---
    • C:\%windir%\def12x.dll
    • C:\%windir%\rn3a.vxd


Writeup By: Yana Liu