Home / malware Worm:Win32/Helompy.D
First posted on 07 January 2012.
Source: MicrosoftAliases :
Worm:Win32/Helompy.D is also known as Win32.HLLW.Napad (Dr.Web), Worm.Win32.AutoRun.argc (Kaspersky), W32/YahLover.worm.gen (McAfee), Troj/AutoIt-JO (Sophos), W32.SillyDC (Symantec), Mal_OtorunN (Trend Micro).
Explanation :
Worm:Win32/Helompy.D is a worm that spreads to removable drives as a file named "subst.exe".
Top
Worm:Win32/Helompy.D is a worm that spreads to removable drives as a file named "subst.exe".
Installation
Worm:Win32/Helompy.D may appear as a file folder. When executed, the worm simulates opening a file folder by the same name, as in the following example: The worm creates a folder in the root of the system drive, named "win", with 'hidden' and 'system' attributes. The worm drops a copy of itself as the following, and runs the dropped copy:
- C:\win\lsass.exe
When the worm runs, it creates a hidden window with a title "HeloMyPrc". The worm detects if this name is present, and if not, it runs the following files that are presumed to be copies of the worm:
- C:\win\lsass.exe
- D:\Programs\lsass.exe
The registry is modified to run the worm copy at each Windows start.
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "run32"
With data: "C:\win\lsass.exe"
Spreads via... Removable drives Worm:Win32/Helompy.D drops a copy of itself to removable drives as a file named "subst.exe". The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Analysis by Haoran YuLast update 07 January 2012
