<% if Request.querystring("retry") = "member" or Request.cookies("logged") <> "" then %>

        <%= Request.cookies("logged")%> <%else Response.Redirect "../default.asp" end if %>

         
         

 

Virus Name Risk Assessment
HLLP.Philis.lb Low
 
Discovery Date Min DAT
12/10/2007 5182
 
Type SubType
Virus Parasitic
 
Virus Characteristics
This variant's viral code that is prepended to the beginning of infected files is usaly written in Delphi.  When an infected EXE is run it creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager H
  • HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto: "1"

    This virus also drops a file named Dll.dll (detected as W32/HLLP.Philis) in %WinDir%.
    It then injects this dll in processes Explorer.exe and IExplor.exe.
    This dll is responsible for opening a backdoor and attempting the download of password stealing trojans.

    The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it finds an active machine it sends an ICMP ping request and waits for a response.
    After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine.

    If the virus is able to access a shared resource, it first copies "_desktop.ini" to the root of the share to mark the share as visited and then infects executables present in the share.

    While infecting executables via a network share the virus does not limit itself to infecting specific file names as mentioned above. In the case of a shared printer, the viruses' infection routine effectively creates printer job to print the date as contained in "_desktop.ini" file that the virus tries to copy.
     

    		•
    Symptoms
  • Presence of %WinDir%\RichDll.dll
  • Presence of registry entries as described
  • Presence of files named _desktop.ini in many folders.
    • These files have the system (S) and hidden (H) attributes set
    • These files are detected as W32/HLLP.Philis.ini
  • Increase in size of EXE files
  • Increase in disk activity (read and write)
  • HTTP network traffic to the aforementioned web address
    		•
    Method Of Infection
    W32/HLLP.Philis.gu is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.
    Removal Instructions
    Use specified engine and DAT files for detection and removal.

    Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

     

         1385 Shabakeh Gostar Eng

    		  

    |      كشخصات نیرنس ما    |     مشدار نیرنس جدید     |