Description
Win32.HLLM.Expletus.45056 is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm, FSG-packed, is 16, 208 bytes.
The worm propagates via e-mail and KaZaA file-sharing network.
It changes start page of MS Internet Explorer и блокирует доступ пользователя к and blocks a user’ s access to the system registry editor.
Spreading
In search of e-mail addresses for propagation the worm scans the local address book. It disseminates using its own in-built SMTP engine.
The mail message infected with the worm may look as follows.
The
sender’s address is spoofed by the worm from the list of names stored in its body.
The
subject may be one of the following:
Hello! Tommorow? News! Old classmate. Klex virus making its rounds. I found your password :) Do you want this? I finally finished my program! Your request. I\\\\\\\'ve been hurt. But am alright. Your beta test has arrived. Postmaster: Message Failure Postmaster: Undeliverable Mail Postmaster: Message Failure What is this? : New billing procedure. About %s %s not working. School tragedy! Bomb! School Policy! Bomb threat! School report. School danger!. Incorrect Address... Your dad. Hilarous joke. Your family. Faked emode.com results. Problem with %s... I can\\\\\\\'t load %s... %s is screwing up. WTF is up with %s!!!The Message body is chosen from the large list of texts; we site just few of them.
- I hope you\\\\\\\'re the one who asked for this, I don\\\\\\\'t really remember, but thought I might as well send it anyway.
- Well a lot of people haven\\\\\\\'t heard very much about my \\\\\\\"injury\\\\\\\", but my insurance company said I should give this to everybody I know. Run it and you\\\\\\\'ll understand everything.
- We have detected a security gap within Windows internal dll\\\\\\\'s, we suggest all users run this program which seals the gap. Otherwise, any damaged data will not be compinsated for by Microsoft.
- Ha. Remember this guy?
- Hey, I managed to get your password for your e-mail. I suggest you use this utility (I attached it) to fortify your account and you can also use it to retrieve other peoples passwords (don\\\\\\\'t try it on me, since I already used it to protect mine). I\\\\\\\'ll keep my name secret, I don\\\\\\\'t want to get sued :) . BTW, I\\\\\\\'m sending this to more people than just you, but I used it on multiple people.
- Hey, I found this on Download.com a while ago and forgot to send it too you. I thought you may be interested. It should be attached, if it isn\\\\\\\'t just e-mail me again.
- The following message could not be sent because the recipients mailbox was full.
- We have started a new billing procedure, see the attached invoice for more information. This message must have been sent to me by mistake, appearantly it\\\\\\\'s meant for you. Don\\\\\\\'t worry I didn\\\\\\\'t read all of it :).
- Your dad told me to send this to you, i think you\\\\\\\'ll understand.
- I got this from my dad\\\\\\\'s old attorney, he said it could be very useful to you.
- I did a search for your name and I think someone faked your emode.com test results. See what you think: Results automatically attached.
- I can\\\\\\\'t seem to get the site working, it always sends me to a URL with this file. What\\\\\\\'s wrong?
- Sorry to bother you, but when I try to load the site it always gives me this file.
- Is there any way to keep it from sending me this file? Thanks.
- Why do you let the kids play this awful game?
- The bomb threat you may get today might be real, see the image:
MFCApp.exe dogs.scr gettogether.scr Invoice.scr yourmsg.scr file.scr BlueS-Injury.scr MSSecure.scr underdog will.scr joke.scr billing resultsIf the attachment’s extension is .bat, com, .exe, or .pif, its name will be one of the following:
KlezRem PWordGet-Lite SnowBall gettogether underdogThe attachment may also have a double extension. If its second extension is .bat, com, .exe, or .pif, its name may be chosen from the following list:
apache.exe index.scr unknownurl.pif autoupdate.exe oddfile.exe cgibin.com qk193.zip.exe servrequest.com msupdate.exe screenshot.scr ie6upg.exe flash6.comThe program module of the worm may also arrive to computers as ZIP-archive.
To secure its propagation through KaZaA, it queries the registry entry
HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Kazaa\\\\\\\\Transfer\\\\\\\\ DlDir0
in search of the KaZaA shared folder and copies itself as follows:
AdobePhotoShopPlugin.com AnarchistCookbook.scr Annihilator.exe Annil-RemoveTool.exe blueprints.scr carmenelectra.scr CheatBook2003.scr Cold Mountain-flash.scr desktopmate.exe doom2.exe Eminem Unleashed-flash.scr f16Sim.exe funnyscreensaver.scr hl2source.com hotstuff.scr James Bond-flash.scr Madonna-Video.exe MatrixSaver.scr Opera7Beta.exe Passion.scr Resident Evil 2-flash.scr stripper.exe SuperBowlJanet-flash.scr The last samuri-flash.scr Warcraft3Beta.exe winXPcrack.exe winzip32.com winzip32.exe winzipcrack.exe XboxHack.com
Action
Being activated, the worm displays the following error message on the computers screen.
-
Title: System Error
Text: File execution aborted: Unable to find MFC42.dll.
HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run
The name of the value, added by the worm to this entry, will be the same as the name of its copy.
The worm changes the MS Internet Explorer start page by modifying the registry key
HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Internet Explorer\\\\\\\\Main
\\\\\\\"Start Page\\\\\\\" = \\\\\\\"http: //www.cnn.com\\\\\\\"
\\\\\\\"NotifyDownloadComplete\\\\\\\" = 0
The worm disables the system registry entry by modifying the registry entry
HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\System
\\\\\\\"DisableRegistryTools\\\\\\\"=1
