Virus Win32 HLLP Philis fv
1. Summary:
Philis.fv is a virus infecting executable (*.exe) files found on the local computer. It also drops a dynamic library (DLL), that downloads a trojan horse from the Internet that's intented to gather user passwords(so called „password stealer“).
Aliases:
Kaspersky: Worm.Win32.Viking.gp
Symantec: W32.Looked.BK
Trend Micro: PE_LOOKED.TE-O
2. Detailed description:
Philis.fv is a Win32 virus written in Borland Delphi, that infects executables found on the local computer. It infects the files by first reading the original content of the file. Afterwards the virus writes it's 91kB long body at the beginning of the file and includes the original content of the file right after. This technique is called “prepending virus”. This assures that by the execution of the file the virus gets launched first and it then hands the flow back to the original code.
Philis.fv copies itself after execution into location like:
%WINDOWS%\uninstall\rundl132.exe (the second “l” character is replaced by the number 1).
It then drops following file in the %WINDOWS% directory:
%WINDOWS%\RichDll.dll
This library is supposed to inject the process named Explorer.exe. This way (as explorer.exe) it can download the trojan horse without the user noticing any suspicious activity.
The trojan horse is stored in the TEMP directory under the name:
%USERPROFILE%\Local Settings\Temp\nuj9.dll
To better protect itself it also creates a .sys file -
%USERPROFILE%\Local Settings\Temp\[Random Name].sys
This sys file hooks itself into the „System Service Description Table“ (SSDT) and it redirects towards itself the calls to the functions „NtEnumerateKey“, „NtEnumerateValueKey“ and „NtOpenProcess“.
This way it gains a full control over process creation and registry manipulation. By doing this it hides it's processes and registry keys.
It searches through the running processes and if it finds one of these names it terminates them immediately:
EGHOST.EXE
IPARMOR.EXE
KAVPFW.EXE
MAILMON.EXE
mcshield.exe
Ravmond.EXE
regsvc.exe
and it stops the service „Kingsoft AntiVirus“.
These keys get added into the registry by the virus:
[HKLM\SOFTWARE\Microsoft\DownloadManager]
[HKLM\SOFTWARE\Soft\DownloadWWW]
"auto" = "1"
3. Spreading:
Virus Philis.jv also tries to get spread through the local network. It searches the whole subnet for active computers. It does this by sending an ICMP ping with a “Hello, World” payload and waits for a reply. If there is a reply the virus tries to access the ADMIN$, IPC$ and other shares that are probable to exist on the remote computer. It infects all the executables found on these shares.
It marks the infection of the share by creating a “_desktop.ini” file in the root directory of the share.
4. Cleaning:
Manual cleaning is not possible. I recommend using an antivirus for a complete and safe removal if this infiltration.
Advice:
If you want to prevent the infection, create the „Desktop_.ini“ file in the root directory of all your shares. This way the virus will think it has already infected the share.
0 writebacks [03/05/2007 11:08]
[]
permanent link
|
