Win32.HLLM.Foo

Description

Win32.HLLM.Foo is a mass-mailing worm.
It affects computers running under Windows 95/98/Me/NT/2000/XP. The worm distributes itself via e-mail using its own SMTP engine. It comes to users’ computers as ZIP-archive named READNOW.ZIP. The size of the program module of the worm, packed with i>UPX compression utility, is 10,912 bytes if zipped and 10,784 bytes if in form of readnow.doc.scr.

Launching

To secure its automatic execution at every Windows startup the worm adds the value
\"SystemLoad32\" = \"%Windir%\\SYSLOAD32.EXE\"
to the registry entry
HKEY_Local_Machine\\Software\\Microsoft\\Windows\\ CurrentVersion\\Run

Spreading

Before the worm starts its mass propagation routine it checks if the computer is connected to the internet by making attempts to establish connection with www.google.com. Then it starts sending itself to all the addresses harvested in the infected computer and saved in file eml.tmp in the Windows folder. The following files are excluded from the search:

.avi 
.bmp 
.cab 
.com 
.dll 
.exe 
.gif 
.jpg 
.mp3 
.mpg 
.ocx 
.pdf 
.psd 
.rar 
.tif 
.vxd 
.wav 
.zip 

Sender:john@[domain name of the recepient],
Subject:don\'t be late! [random symbols], Message text:

Will meet tonight as we agreed, because on Wednesday I don\'t think 

I\'ll make it,
so don\'t be late. And yes, by the way here is the file you asked for.

It\'s all written there. See you.
[random symbols]


Attachment: READNO.ZIP

Inside the archive resides the readnow.doc.scr file.

Action

Being run by a user himself the ZIP archive contains a worm’s copy named SYSLOAD32.EXE, which is placed to the Windows folder. The worm also creates several more files in the same folder:

• exe.tmp - a worm’s copy named readnow.doc.scr
• eml.tmp - the worm stores in this file the mail addresses grabbed from the system
• zip.tmp - copy of readnow.zip the worm attaches to mail messages.

mysupersales.com 
www.mysupersales.com
mysupersales.net 
www.mysupersales.net