| Description:
|
Details
Win32.HLLW.Nulock
This is dangerous Win32 worm virus written in Delphi, about 300K in length. The worm installs itself into the system, stays in Windows memory as a process (that is visible in task list), and then, with delays (randomly selected from 10 to 20 minutes), copies itself to the A: drive (if there is one inserted).
The worm does not access any other files, and does not spread in any other way.
While installing into the system and copying to the A: drive, the virus generates random names for its copy, for example:
DOLE.EXE, JFMCQRL.EXE, PLNTGS.EXE, ETZBQVT.EXE, JDESH.EXE, WJPIOR.EXE
While installing into the system, the worm copies itself with a random name and .DLL extension to the Windows directory, and registers that copy in the system registry in the auto-run section:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun "NumLock"="value"
The key "value" depends on the worm's copy name, for example:
NumLock = "windirdole.dll"
NumLock = "windirjfmcqrl.dll"
NumLock = "windirplntgs.dll"
where "windir" is the Windows directory.
To let Windows to run that DLL file as an ordinary application, the worm also creates the registry key:
HKCRdllfileshellopencommand
and writes to there a value that is standard for running Windows EXE files.
On Tuesdays at 10:30, the virus erases registry files:
USER.DAT, SYSTEM.DAT, USER.DA0, SYSTEM.DA0 |
