Virus.Win32.HLLW.Bezilom

0 0

This is a harmless, non-memory resident parasitic Win32 virus. The worm consists of three components, all of them are Windows PE EXE files written in Visual Basic:

Natasha.exe - 143K, virus dropper, was spammed to several email conferences in the middle of February 2002

Maria.doc.exe - 29K, this is the virus itself

MacroSoftBL.exe - 70K, this is a fake anti-virus program (decoy)

When the dropper is being executed, it drops two other components and runs them:

File1: "PKGF320.exe" in Windows TEMP directory.

File2: "MacroSoftBL.exe" in "Program Files\MacroSoftBL" directory, with Hidden and System attributes set on.

When the virus copy is run, it moves itself to the Windows directory with the "Maria.doc.exe" name (with many spaces in the name between "doc" and "exe"). This file is then registered in the system registry auto-run key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run StartUp = %WindowsDir%\Maria.doc ... .exe

with many spaces in the name between "doc" and "exe".

The virus then copies itself with a random name (like CMZYMZ.EXE, HUHHBG.EXE) to the root directories on the available drives, and creates in there a AUTOEXEC.BAT file with one instruction that runs the virus copy in the same directory.