Type
Virus
SubType
Parasitic
Discovery Date
05/15/2007
Length
95,232
Minimum DAT
5031 (05/15/2007)
Updated DAT
5031 (05/15/2007)
Minimum Engine
4.4.00
Description Added
05/15/2007
Description Modified
05/16/2007
W32/HLLP.Philis.kl is a file infecting virus. It searches for executable files on the compromised machine and prepends its viral code to such files. It is also responsible for dropping a .DLL (named RichDll.dll) file, which downloads files from a remote website.
Characteristics -
Upon execution, this variant copies itself into %WinDir%\Uninstall folder as rundl132.exe adds a load registry entry to activate itself on reboot. It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\auto: "1"
This variant drops a .DLL file named RichDll.dll (detected as W32/HLLP.Philis.dll since the 4892 DATs) in %WinDir%. It then injects this dll into processes Explorer.exe and IExplore.exe. This dll is responsible for capturing account information of the online game called Lineage. This thread also attempts to download the PWS-Lineage trojans from the following location:
http://[removed].puma163.com/1630.exe
http://[removed].puma163.com/1631.exe
http://[removed].puma163.com/1632.exe
http://[removed].puma163.com/1633.exe
http://[removed].puma163.com/1634.exe
http://[removed].puma163.com/1635.exe
http://[removed].puma163.com/1636.exe
http://[removed].puma163.com/1637.exe
http://[removed].puma163.com/1638.exe
http://[removed].puma163.com/1639.exe
http://[removed].puma163.com/163a.exe
http://[removed].puma163.com/163b.exe
W32/HLLP.Philis.kl searches for executable files and prepends its viral code to target files.
The virus creates files with the name "_desktop.ini" in every folder where an infection takes place. This is created as a hidden system file and contains the date on which virus was executed to visit the folder in which the file resides. The date is shown in yyyy/mm/dd format.
The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it finds an active machine it sends an ICMP ping request and waits for a response.
After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine.
If the virus is able to access a shared resource, it first copies "_desktop.ini" to the root of the share to mark the share as visited and then infects executables present in the share.
While infecting executables via a network share the virus does not limit itself to infecting specific file names as mentioned above. In the case of a shared printer, the viruses' infection routine effectively creates printer job to print the date as contained in "_desktop.ini" file that the virus tries to copy.
Symptoms -
Presence of %WinDir%\RichDll.dll
Presence of registry entries as described
Presence of files named _desktop.ini in many folders.
These files have the system (S) and hidden (H) attributes set
These files are detected as W32/HLLP.Philis.ini
Increase in size of EXE files
Increase in disk activity (read and write)
HTTP network traffic to the aforementioned web address
Method of Infection -
W32/HLLP.Philis.kl is a file infecting virus. Infection starts with manual execution of the binary. For spreading, the virus also relies on improperly configured/protected (open) shared drives.
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
McAfee