Virus library
Knowledge database

Win32.HLLM.Perf

(Email-Worm.Win32.Scano.gen, I-Worm/Scano, W32/Areses.dr, Parser error, Trojan.HTML.Dropper.B, TrojanDropper:VBS/Scano.gen, W32/Areses.gen, DeepScan:Generic.Malware.M!H@mmigndld.E5AF880C, W32/Areses.a@MM, Mal_VBSDrpr, Worm:Win32/Scano.dr, Generic.Malware.FM!H@mmigndld.706521FF, WORM_SCANO.AY, EXP/Scano, Generic.dw, I-Worm/Scano.AG, W32/Areses.f, Trojan.HTML.Dropper.A, Generic.SGO, Trojan.Dropper.VB.X, VBS/Inor, VBS.Scano.A@mm, I-Worm/Scano.AR, I-Worm/Scano.AQ)

Virus Type: Mass mailing worm

Affected OS: Win95/98/Me/NT/2000/XP

Size: 17 872 byte

Packed by: No

Technical Information

  • Spreads via e-mail in form of application. Falsifies sender’s address.

  • Mail subjects and bodies are in Russian.

  • .cab archive is created as an application. This archive contains dropper of the main virus body. File name starts with "new", "me","you","cool" or "Re" and has double extension. First extension is from ".doc", ".txt",".avi", ".mpeg" list and the second one is " .cpl". Example "me.doc .cpl" inside me.cab archive.

  • Copies itself in system folder with %systemroot%\csrss.exe name (present csrss.exe is located in %systemroot%\system32\csrss.exe).

  • Loads optional processes services.exe и svchost.exe. Implants code which supports autorun record in registry and integrity of its csrss.exe carrier.

  • If virus body is deleted, it will be immediately restored from copy which is kept in the memory of services.exe process which is infected. At the same time "Windows file protection" operation is simulated.

  • Main part of the virus in svchost.exe process scans all available disks in search of mail addresses for distribution. For that it uses files with the following extensions:
    adb, .asp, .cfg, .cgi .mra, .dbx, .dhtm, .eml, .htm, .html, .jsp, .mbx, .mdx, .mht, .mmf, .msg, .nch, .ods, .oft, .php, .pl, .sht, .shtm, .stm, .tbb, .txt, .uin, .wab, .wsh, .xls, .xml, .dhtml

  • Extracted addresses shouldn’t contain the following substrings:

    "@example.""Mailer-Daemon@""-0"
    "2003""@subscribe"".00"
    "2004" "kasp" "@."
    "2005" "admin" "---"
    "2006" "icrosoft" "abuse"
    "@hotmail" "support" "panda"
    "@msn" "ntivi" "cafee"
    "@microsoft" "unix" "spam"
    "rating@" "bsd" "pgp"
    "f-secur" "linux" "@avp."
    "news" "listserv" "noreply"
    "update" "certific" "local"
    ".qmail" "torvalds@" "root@"
    ".gif" "sopho" "postmaster@"
    "anyone@" "@foo" ".0"
    "bugs@" "@iana" ".1"
    "contract@" "free-av" ".2"
    "feste" "@messagelab" ".3"
    "gold-certs@""winzip" ".4"
    "help@" "google" ".5"
    "info@" "winrar" ".6"
    "nobody@" "samples" ".7"
    "noone@" "spm111@" ".8"
    "0000" ".." ".9"

  • During launching this virus tries to download and execute directly .exe file.

    http: // 85.249.23.43 / 0.exe

    or tries to get encrypted address list for further downloading:

    http: // 85.249.23.35/m2/ g.php
    http: // 207.46.250.119/g/ m.php
    http: // 84.22.161.192/s/ f.php

  • In case of virtual machine detection virus opens www.nauy.com site and completes its operation.

  • Provides its autorun during system reboot via recording in registry:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Debugger = "C:\WINDOWS\csrss.exe"

    • System Recovery References

    a) Download Dr.Web CureIt! utility.
    b) Disconnect the computer from local network and/or Internet.
    c) Load Windows in "Safe mode with command prompt" mode.
    d) Enter and execute command:
    reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /v Debugger /f
    e) Run the     Dr.Web CureIt! utility or antivirus disk scanner (if present). Scan directory: %SystemRoot% (C:\Windows by default). Apply "delete" action for objects infected with Win32.HLLM.Perf.

    System recover recommendations

    1. Reboot Windows in Safe Mode.
    2. Use Dr.Web® scanner of free curing utility Dr.Web® CureIT! to scan local drives. The “Cure” action should be applied for all infected files.
    3. Restore registry from the backup copy.

    Important! Before following these recommendations you should set up the mail client you use so that it stores attachments as separate files and not in the body of the database. For example, such storage in TheBat! is enabled as follows: Account — Properties — Files & Directories — Keep attachment files — Separately in a special directory.
    Last updated: 2010-03-16 13:07:15 MSK
    Total records in virus database: 1136946

    Top virus chart

    Trojan.DownLoad.4155114.21%
    Trojan.DownLoad.3723612.45%
    Trojan.DownLoad.472569.19%
    Trojan.Botnetlog.zip6.60%
    Trojan.MulDrop.408966.49%

    Search in virus database

    Company | News&Events | Send a virus | Online scanner | Privacy policy | Site map More www-resources:
    www.av-desk.com
    www.freedrweb.com
    www.drweb-curenet.com    		 pda.drweb.com
    estore.drweb.com

    Doctor Web ©
    2003 — 2010

    Doctor Web is a Russian IT-security solutions vendor. Dr.Web anti-virus software has been developed since 1992. The leader on the Russian IT security services market, Doctor Web has been the first vendor that offered an anti-virus as a service in Russia. The company also offers proven anti-virus and anti-spam solutions for businesses, government entities, and personal use. We have a solid record of detecting malicious programs, and we adhere to all international security standards. Doctor Web has received numerous certificates and awards; our satisfied customers spanning the globe are clear evidence of the complete trust customers have in our products.