W32.HLLP.Philis

Printer Friendly Page

Discovered: March 26, 2004
Updated: March 31, 2004 3:54:29 PM
Systems Affected: Windows

W32.HLLP.Philis is a virus that infects portable executable files with a .exe extension. It also attempts to steal authentication information for a video game.

Discovered: March 26, 2004
Updated: March 31, 2004 3:54:29 PM
Systems Affected: Windows

W32.HLLP.Philis is a virus that infects portable executable files. When an infected file is executed, the virus extracts the host file as <filename>.tmp and executes it. The virus also creates the following copy of itself:
%Windir%\SOS.exe

It then creates the following registry entries so that it executes every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SOS = %Windir%\SOS.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\SOS = %Windir%\SOS.exe

It also creates the following registry key:
HKEY_CURRENT_USER\Software\Classes\legend of mir

The virus infects portable executable files with a .exe extension by prepending its code to them.

Finally, the virus queries the registry to retrieve the user's Legend of Mir 2 authentication information. This information is then emailed to predetermined addresses.