Win32.HLLM.Perf
(W32/Areses.dr, MalwareScope.Trojan-PSW.Pinch.1, TR/Crypt.XPACK.Gen, Email-Worm.Win32.Scano.ay, WORM_SCANO.AY, EXP/Scano, Trojan.HTML.Dropper.A, W32/Areses.f, VBS/Inor, Email-Worm.Win32.Scano.gen, I-Worm/Scano, TrojanDropper:VBS/Scano.gen, WORM_SCANO.BH, VBS/Drop.Inor.CT, I-Worm/Scano.BJ, Dropper.Inor, TR/Crypt.UPKM.Gen, W32/Areses.a@MM, Worm:Win32/Scano.dr, Mal_VBSDrpr, TR/Vundo.Gen, I-Worm/Scano.BP, Generic.dw, Generic.SGO, I-Worm/Scano.AR, HTML/Drop.Scano.L)
Virus description added:
2006-04-05
Virus Type:
Mass mailing worm
Affected OS: Win95/98/Me/NT/2000/XP
Size: 17 872 byte
Packed by: No
Technical Information
Spreads via e-mail in form of application. Falsifies sender’s address.
Mail subjects and bodies are in Russian.
.cab archive is created as an application. This archive contains dropper of the main virus body. File name starts with "new", "me","you","cool" or "Re" and has double extension. First extension is from ".doc", ".txt",".avi", ".mpeg" list and the second one is " .cpl". Example "me.doc .cpl" inside me.cab archive.
Copies itself in system folder with %systemroot%\csrss.exe name (present csrss.exe is located in %systemroot%\system32\csrss.exe).
Loads optional processes services.exe и svchost.exe. Implants code which supports autorun record in registry and integrity of its csrss.exe carrier.
If virus body is deleted, it will be immediately restored from copy which is kept in the memory of services.exe process which is infected. At the same time "Windows file protection" operation is simulated.
Main part of the virus in svchost.exe process scans all available disks in search of mail addresses for distribution. For that it uses files with the following extensions:
adb, .asp, .cfg, .cgi .mra, .dbx, .dhtm, .eml, .htm, .html, .jsp, .mbx, .mdx, .mht, .mmf, .msg, .nch, .ods, .oft, .php, .pl, .sht, .shtm, .stm, .tbb, .txt, .uin, .wab, .wsh, .xls, .xml, .dhtml
Extracted addresses shouldn’t contain the following substrings:
| "@example." | "Mailer-Daemon@" | "-0" |
| "2003" | "@subscribe" | ".00" |
| "2004" | "kasp" | "@." |
| "2005" | "admin" | "---" |
| "2006" | "icrosoft" | "abuse" |
| "@hotmail" | "support" | "panda" |
| "@msn" | "ntivi" | "cafee" |
| "@microsoft" | "unix" | "spam" |
| "rating@" | "bsd" | "pgp" |
| "f-secur" | "linux" | "@avp." |
| "news" | "listserv" | "noreply" |
| "update" | "certific" | "local" |
| ".qmail" | "torvalds@" | "root@" |
| ".gif" | "sopho" | "postmaster@" |
| "anyone@" | "@foo" | ".0" |
| "bugs@" | "@iana" | ".1" |
| "contract@" | "free-av" | ".2" |
| "feste" | "@messagelab" | ".3" |
| "gold-certs@" | "winzip" | ".4" |
| "help@" | "google" | ".5" |
| "info@" | "winrar" | ".6" |
| "nobody@" | "samples" | ".7" |
| "noone@" | "spm111@" | ".8" |
| "0000" | ".." | ".9" |
During launching this virus tries to download and execute directly .exe file.
http: // 85.249.23.43 / 0.exe
or tries to get encrypted address list for further downloading:
http: // 85.249.23.35/m2/ g.php
http: // 207.46.250.119/g/ m.php
http: // 84.22.161.192/s/ f.php
In case of virtual machine detection virus opens www.nauy.com site and completes its operation.
Provides its autorun during system reboot via recording in registry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe Debugger = "C:\WINDOWS\csrss.exe"
System Recovery References
a) Download Dr.Web CureIt! utility.
b) Disconnect the computer from local network and/or Internet.
c) Load Windows in "Safe mode with command prompt" mode.
d) Enter and execute command:
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\explorer.exe" /v Debugger /f
e) Run the Dr.Web CureIt! utility or antivirus disk scanner (if
present). Scan directory: %SystemRoot% (C:\Windows by default). Apply
"delete" action for objects infected with Win32.HLLM.Perf.
