Win32.HLLM.Graz – mass mailing worm
Spreading:
1.Via e-mail as the message with zip-file attachment. Example of text message: You have received Protected Mail from MSN.com user. This message is addressed personally for you. To decrypt your message use the following details:
ID: 25747 Password: qeopgelhk
Keep your password in a safe place and under no circumstances give it to ANYONE.
Protected Mail and instruction is attached.
Best Regards,
Protected Mail System,
MSN.com
message.zip
data.zip
mail.zip
2.Via ICQ
It traces the traffic on the infected computer and gets UIN and the Password. It also gets the list of contacts for this given UIN. Users from the contact list get messages which contain hxxp://popcapfree.t35.com/ reference. This page suggests to download "universal key gun for PopCap games".
PopCap deluxe games absolutely free
you like PopCap deluxe games?Play them free and no limited
PopCap deluxe games without limit
I see your drive C:
you a hacked, look!
this is your local drives?not a joke:))
3.Http-server is created on the infected computer.
You’ll get virus body in the hta-format while trying to download anything from there. It can also be packed in the zip-format –depending on the type of askable file.
While loading the virus it copies its body to the %SystemRoot%\System32 folder under ms??.exe name and piles ms??32.dll file in the same folder. In order to provide autorun for its copy the cleared dll-file is registered in registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Actions
It backtraces traffic on definite ports and according to protocols takes apart transmission for further password extraction (telnet, smtp, pop3, ftp, icq, irc, ...).
Later this information is used for further virus spreading. For instance, message delivery through ICQ on behalf of the user by the whole contact list or infection of sites which have been accidentally updated through FTP.
Contains control function of WebMoney Keeper program.
Blocks access to those sites which has the following name-substrings:
fsi
vcatch
feste
norton
resplendence
softwin
filseclab
ntivi
una
panda
free-av
numentec
adware
trojan
freeav
phx.corporate-ir
alwil
agnitum
frsirt
secu
avg
altn
gdata.de
sina
grisoft
antiy
grisoft
skynet
bitdef
anvir
iavs
softbase
clam
asw
iss
sophos
hbedv
atdmt
kasper
spam
esafe
atwola
lavasoft
stocona
aladdin
avast
mcafee
symantec
quickhea
avp
messagel
trendmicro
avgate
awaps
microsoft
update
tds3
bitdefender
msn
viru
onecare
ca.com
my-etrust
webroot
ahnlab
drweb
nai.com
haker
vnunet
eset
networkass
spy
virdet
vnunet
nod32
itsafe
avinfo
fbi
norman
zonealarm
dpf
spfirewallsvc
zapro
xfilter
sppfw
ca
leviathantrial
kavpf
vsmon
looknstop
sspfwtry2
zlclient
mpftray
keypatrol
pavfnsvr
netlimiter
s-wall
avgcc
npgui
smc
fsdfwd
npfsvice
umxtray
dfw
npfmsg
persfw
fireballdta
npfc
pccpfw
fbtray
ccapp
tzpfw
goldtach
ccsetmgr
xeon
ipcserver
ccevtmgr
bullguard
aws
ccproxy
bgnewsui
jammer
symlcsvc
fw
armorwall
sndsrvc
fwsrv
armor2net
opfsvc
iamapp
opf
iamserv
ipatrol
blackd
spfw
P2P-Worm function.
Folders which contain "download", "upload", "incom", "share" in their names fill .zip archives with the following names:
ICQ_2006
winamp_5.2
3dsmax_9_(3D_Studio_Max)
ACDSee_9
Adobe_Photoshop_10_(CS3)
Adobe_Premiere_9_(2.0_pro)
Ahead_Nero_8
DivX_7.0
Internet_Explorer_7
Kazaa_4
Microsoft_Office_2006
Longhorn
which have virus copy in websetup.exe file.
Via tapping system API-functions this virus hides its process in the memory and its files on the disk.
2.Scan computer with Dr.Web® Scanner or freeware utility Dr.Web® CureIT!. It's necessary to apply action "Delete" to all files which were found.