Virus.Win32.HLLP.Imel
| Alert Level : | High |
| Discovered: | Aug 20 2001 |
| Tag: | Executable File and Boot Viruses |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This is a Win32 virus infecting Win32 PE EXE files (Win32 applications), spreading via floppy disks. The worm itself is a Win32 PE EXE application written in Visual Basic.
The worm looks for EXE files in the current director, and writes itself to the beginning of the file. The worm then copies itself to two files in the system
C:\Game32.exe
C:\WINDOWS\Game32.exe
The second file is then registered in the auto-run registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Imelda = c:\WINDOWS\GAME32.exe
To spread via floppy disks, the worm copies itself to the A: drive with the A:\imel.exe name, and creates an additional A:\autoexec.bat file with a command that copies the worm copy from the A: drive to a C:\Game32.exe file and to the Windows auto-run directory "c:\windows\startm~1\programs\startup\Game32.exe"
The worm then displays a "Win32.IMELDA.A" text in the center of the screen.
On the 8th and 12th of any month, the worm creates two links to a Web page and email address on the Desktop:
http://www.indovirus.8m.net
mailto:iwing@iwing-homebase.org
The virus then displays the following message:
Win32.Imelda.A
Hi... There, this is my Day to go Around the world
Just click OK and well do the rest.... :)
Visit me at http://www.indovirus.8m.net or
http://www.geocities.com/indohacker2001,
for serum - Mailto:iwing@iwing-homebase.org
0
Removal Virus.Win32.HLLP.Imel instructions:
0
Need help? Live computer support via remote at SupportSpace |
