|
|
Win32.HLLC.Na Viruses Information
| Name: |
Win32.HLLC.Na |
| Category: |
Viruses |
| Description:
|
Details
Win32.HLLC.Nan
It is a dangerous nonmemory resident companion Windows virus. It was named because of the "INFNAN" text string found in its code. The virus itself is a Windows executable file about 90Kb in length written in Delphi. When an infected file is executed the virus spread itself into the system. It looks for several files, copies them with other names (see below), and overwrites original files with virus copy. The list of affected files looks like follows:
Infected file Copied to Directory
------------- ---------- ---------
NOTEPAD.EXE 57381054.EXE in the Windows directory
CDPLAYER.EXE 45123851.EXE in the Windows directory
ACRORD32.EXE 57293711.EXE Acrobat3Reader
EUDORA.EXE 83747213.EXE Eudora95
OUTLOOK.EXE 68493105.EXE Program FilesMicrosoft OfficeOfficeIEXPLORE.EXE 57385694.EXE Program FilesInternet ExplorerNETSCAPE.EXE 27431087.EXE Program FilesNetscapeProgramWINWORD.EXE 57120438.EXE Program FilesMicrosoft OfficeOfficeEXCEL.EXE 58192823.EXE Program FilesMicrosoft OfficeOfficeWINZIP32.EXE 01583754.EXE Program FilesWinZipICQ.EXE 95821740.EXE
In last case the virus reads directory name from the system registry from the key: SoftwareMirabilisICQDefaultPrefs IcqPath.
The virus also creates its copies on the disks (including floppy disk) with names: WIN32APP.EXE, WINLOGIN.EXE, ZIPTOOLS.EXE. The copy of WIN32APP.EXE on the C: drive is then registered in the system registry as "auto-run" utility:
SoftwareMicrosoftWindowsCurrentVersionRun c:Win32App.exe
The virus pays attention to anti-virus programs and terminates applications that have names:
Norton AntiVirus Auto-Protect Trial Version
Norton AntiVirus Auto-Protect
AVP Monitor
Depending on the system time the virus calls its payload routines that reset computer name and disk labels, look for *.URL files and replace them with new references (one of three possible references):
[InternetShortcut]
URL=http://www.hustler.com
URL=http://www.playboy.com
URL=http://www.penthouse.com
Depending on the system time the virus also erases (overwrites with zero bytes and then deletes) the files
hosts
lmhosts
system32driversetchosts
system32driversetclmhosts
in the Windows directory. The virus also randomly calls routines that exit Windows, or create 700.000.000 directories with random names, or create the C:DAPARTY.EXE file, drop to it a copy of file infected with "Win95.CIH" file and then execute it, or display the message box:
Greets to VirusBuster: darknode@oninet.es
Congratulations, you have Win32.Prurient.Torturous.Pain |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Bug.92
Seat.238
Macro.Word97.Stor
Invol Famil
Squatter.974
Gle.84
Viking Famil
Trojan.JS.StartPage.
Itv.47
Win32.Xoral
|
|
