Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLW.Annil.1

Added to the Dr.Web virus database: 2004-04-02

Virus description added:

Description

Win32.HLLM.Expletus.45056 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm, FSG-packed, is 16, 208 bytes.

The worm propagates via e-mail and KaZaA file-sharing network.

It changes start page of MS Internet Explorer и блокирует доступ пользователя к and blocks a user’ s access to the system registry editor.

Spreading

In search of e-mail addresses for propagation the worm scans the local address book. It disseminates using its own in-built SMTP engine.

The mail message infected with the worm may look as follows.
The sender’s address is spoofed by the worm from the list of names stored in its body.
The subject may be one of the following:

Hello! 
Tommorow? 
News! 
Old classmate. 
Klex virus making its rounds. 
I found your password :) 
Do you want this? 
I finally finished my program! 
Your request. 
I\\\\\\\'ve been hurt. But am alright. 
Your beta test has arrived. 
Postmaster: Message Failure 
Postmaster: Undeliverable Mail 
Postmaster: Message Failure 
What is this? 
: New billing procedure. 
About %s 
%s not working. 
School tragedy! 
Bomb! 
School Policy! 
Bomb threat! 
School report. 
School danger!.
Incorrect Address... 
Your dad. 
Hilarous joke. 
Your family. 
Faked emode.com results. 
Problem with %s... 
I can\\\\\\\'t load %s... 
%s is screwing up. 
WTF is up with %s!!! 
The Message body is chosen from the large list of texts; we site just few of them.
  • I hope you\\\\\\\'re the one who asked for this, I don\\\\\\\'t really remember, but thought I might as well send it anyway.
  • Well a lot of people haven\\\\\\\'t heard very much about my \\\\\\\"injury\\\\\\\", but my insurance company said I should give this to everybody I know. Run it and you\\\\\\\'ll understand everything.
  • We have detected a security gap within Windows internal dll\\\\\\\'s, we suggest all users run this program which seals the gap. Otherwise, any damaged data will not be compinsated for by Microsoft.
  • Ha. Remember this guy?
  • Hey, I managed to get your password for your e-mail. I suggest you use this utility (I attached it) to fortify your account and you can also use it to retrieve other peoples passwords (don\\\\\\\'t try it on me, since I already used it to protect mine). I\\\\\\\'ll keep my name secret, I don\\\\\\\'t want to get sued :) . BTW, I\\\\\\\'m sending this to more people than just you, but I used it on multiple people.
  • Hey, I found this on Download.com a while ago and forgot to send it too you. I thought you may be interested. It should be attached, if it isn\\\\\\\'t just e-mail me again.
  • The following message could not be sent because the recipients mailbox was full.
  • We have started a new billing procedure, see the attached invoice for more information. This message must have been sent to me by mistake, appearantly it\\\\\\\'s meant for you. Don\\\\\\\'t worry I didn\\\\\\\'t read all of it :).
  • Your dad told me to send this to you, i think you\\\\\\\'ll understand.
  • I got this from my dad\\\\\\\'s old attorney, he said it could be very useful to you.
  • I did a search for your name and I think someone faked your emode.com test results. See what you think: Results automatically attached.
  • I can\\\\\\\'t seem to get the site working, it always sends me to a URL with this file. What\\\\\\\'s wrong?
  • Sorry to bother you, but when I try to load the site it always gives me this file.
  • Is there any way to keep it from sending me this file? Thanks.
  • Why do you let the kids play this awful game?
  • The bomb threat you may get today might be real, see the image:
The attachment is selected from the following list and it has a .src extension:
MFCApp.exe 
dogs.scr 
gettogether.scr 
Invoice.scr 
yourmsg.scr 
file.scr 
BlueS-Injury.scr 
MSSecure.scr 
underdog 
will.scr 
joke.scr 
billing 
results
If the attachment’s extension is .bat, com, .exe, or .pif, its name will be one of the following:
KlezRem 
PWordGet-Lite 
SnowBall 
gettogether 
underdog
The attachment may also have a double extension. If its second extension is .bat, com, .exe, or .pif, its name may be chosen from the following list:
apache.exe 
index.scr 
unknownurl.pif 
autoupdate.exe 
oddfile.exe 
cgibin.com 
qk193.zip.exe 
servrequest.com
msupdate.exe 
screenshot.scr 
ie6upg.exe 
flash6.com 
The program module of the worm may also arrive to computers as ZIP-archive.

To secure its propagation through KaZaA, it queries the registry entry
HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Kazaa\\\\\\\\Transfer\\\\\\\\ DlDir0
in search of the KaZaA shared folder and copies itself as follows:

AdobePhotoShopPlugin.com 
AnarchistCookbook.scr 
Annihilator.exe 
Annil-RemoveTool.exe 
blueprints.scr 
carmenelectra.scr 
CheatBook2003.scr 
Cold Mountain-flash.scr 
desktopmate.exe 
doom2.exe 
Eminem Unleashed-flash.scr 
f16Sim.exe 
funnyscreensaver.scr 
hl2source.com 
hotstuff.scr 
James Bond-flash.scr 
Madonna-Video.exe 
MatrixSaver.scr 
Opera7Beta.exe 
Passion.scr 
Resident Evil 2-flash.scr 
stripper.exe 
SuperBowlJanet-flash.scr 
The last samuri-flash.scr 
Warcraft3Beta.exe 
winXPcrack.exe 
winzip32.com 
winzip32.exe 
winzipcrack.exe 
XboxHack.com 

Action

Being activated, the worm displays the following error message on the computers screen.

    Title: System Error
    Text: File execution aborted: Unable to find MFC42.dll.
When in a system, the worm does not copy itself to a definite folder. Is location is randomly chosen and the path to its copy is written in the registry key
HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run
The name of the value, added by the worm to this entry, will be the same as the name of its copy.

The worm changes the MS Internet Explorer start page by modifying the registry key HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Main
\\\\\\\"Start Page\\\\\\\" = \\\\\\\"http: //www.cnn.com\\\\\\\" \\\\\\\"NotifyDownloadComplete\\\\\\\" = 0

The worm disables the system registry entry by modifying the registry entry HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System
\\\\\\\"DisableRegistryTools\\\\\\\"=1