Win32.HLLM.Graz – mass mailing worm
1.Via e-mail as the message with zip-file attachment. Example of text message: You have received Protected Mail from MSN.com user. This message is addressed personally for you. To decrypt your message use the following details:
ID: 25747 Password: qeopgelhk
Keep your password in a safe place and under no circumstances give it to ANYONE.
Protected Mail and instruction is attached.
Protected Mail System,
It traces the traffic on the infected computer and gets UIN and the Password. It also gets the list of contacts for this given UIN. Users from the contact list get messages which contain hxxp://popcapfree.t35.com/ reference. This page suggests to download "universal key gun for PopCap games".
PopCap deluxe games absolutely free
you like PopCap deluxe games?Play them free and no limited
PopCap deluxe games without limit
I see your drive C:
you a hacked, look!
this is your local drives?not a joke:))
3.Http-server is created on the infected computer.
You’ll get virus body in the hta-format while trying to download anything from there. It can also be packed in the zip-format –depending on the type of askable file.
While loading the virus it copies its body to the %SystemRoot%\System32 folder under ms??.exe name and piles ms??32.dll file in the same folder. In order to provide autorun for its copy the cleared dll-file is registered in registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
It backtraces traffic on definite ports and according to protocols takes apart transmission for further password extraction (telnet, smtp, pop3, ftp, icq, irc, ...).
Later this information is used for further virus spreading. For instance, message delivery through ICQ on behalf of the user by the whole contact list or infection of sites which have been accidentally updated through FTP. Contains control function of WebMoney Keeper program. Blocks access to those sites which has the following name-substrings:
Folders which contain "download", "upload", "incom", "share" in their names fill .zip archives with the following names:
which have virus copy in websetup.exe file.
Via tapping system API-functions this virus hides its process in the memory and its files on the disk.
2.Scan computer with Dr.Web® Scanner or freeware utility Dr.Web® CureIT!. It's necessary to apply action "Delete" to all files which were found.