Thread: It's yet another virus - W32.HLLW.Purol
View Single Post
  #3 (permalink)  
Old December 18th, 2005
mstfyd mstfyd is offline
Gnutella Jewel
  
Join Date: August 24th, 2004
Location: stasis field
Posts: 77
mstfyd is flying high
Default Re: It's yet another virus - W32.HLLW.Purol
pfft! Norton Antivirus caught this in mid-download, so it never completed. However, I have been caught once by spamware which flew below Norton's radar, and later was caught by Ad Aware (not AA's fault, I thought that permission was being asked for something legit & granted it). Now, it's no more decisions on the sleep-deprivation diet . No way am I a programmer; although I briefly went to a programming blender school (mix 'em up, churn 'em out, dump the dregs, take the $), as a programmer, I make an excellent coffee cocktail




Quote:
Originally posted by mstfyd
[B][COLOR=firebrick][I][SIZE=1][FONT=arial] Found on the program (T-42832-)hacking tools 2002.exe

W32.HLLW.Purol Type: Worm
Infection Length: 38,225 bytes

Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, OS/2, UNIX, Linux
Virus Definitions (Intelligent Updater) April 11, 2003
Damage - Payloadeletes files: Attempts to delete directories belonging to several Antivirus programs.
Distribution - Shared drives: Attempts to spread through various file-sharing networks.
When W32.HLLW.Purol runs, it does the following:
Attempts to delete all the files from the following folders:
C:\Progra~1\eSafe\Protect
C:\Progra~1\McAfee VirusScan
C:\Progra~1\NORTON~1
C:\Progra~1\Acceleration Software\Anti-Virus
C:\Progra~1\F-prot
C:\Progra~1\Mcafee
C:\Progra~1\Kasper~1
C:\Progra~1\Avpersonal
C:\Progra~1\Bullguard

Adds the value:
"Winstart"="c:\windows\winstart32.exe"
to the following registry keys:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\
RunServices
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run

Checks the following folders:
C:\Windows\Myshares
C:\Program Files\Icq\Shared Files
C:\Program Files\Bearshare\Shared
C:\Program Files\Morpheus\My Shared Folder
C:\Program Files\Edonkey2000\Incoming
C:\Program Files\Gnucleus\Downloads
C:\Program Files\Gnucleus\Downloads\Incoming
C:\Program Files\Kazaa\My Shared Folder
C:\Program Files\Kazaa Lite\My Shared Folder
C:\Program Files\Limewire\Shared
Then, the worm copies itself to any of the folders that it finds.

It also adds registry values to all of the above, then happily sets about procreating. More details, plus how to remove it manually can be found at the Symantec site (among others). 2 viruses (virii?) in 2 days. Geez, I feel like one of those bomb-sniffing dogs!
Reply With Quote