FÜR NUTZER

Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Win32.HLLM.Generic.276

(W32/Generic.a@MM, Email-Worm.Win32.VB.br, Parser error, Email-Worm.Win32.generic, I-Worm/Traxg.A, Win32.Traxgy.A@mm, Win32/Wukill.AH@mm, Win32/Traxg.A!Worm, W32.Traxg@mm, WORM_WUKILL.GEN, WORM_TRAXG.A)

Added to the Dr.Web virus database: 2004-02-27

Virus description added:

Description

Win32.HLLM.Generic.276 [aka Wullik] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The worm is written in high-level programming language MS Visual Basic. The size of the program module of the worm, UPX-packed, is 49, 152 bytes.

Spreading

The worm makes attempts to disseminate through MS Outlook. It tries to dispatch its viral copies to all the addresses found in local Windows Address Book. The mail message infected with the worm may look as follows:

The subject and the message body are composed in Chinese.

Attachment: MShelp.EXE

Action

Being activated, the worm creates its copy named Mstray.exe in the Windows folder (in Windows 9x/ME/XP it’s C:\Windows, in Windows NT/2000 it’s C:\WINNT ) Mstray.exe and amends accordingly the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"RavTime" = "%WinDir%\Mstray.exe"
which secures its automatic execution at every Windows startup. The same value as above is added to the following registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup

The worm performs the following actions in the affected system:

  • It copies itself as winfile.exe to the floppy drive А.
  • It disables viewing of hidden and system files by modifying the registry entry
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance
    Hidden=0
  • It displays the following message on the computer screen:
    Title: Warning!
    Text: This File Has Been Damage!
  • If a user through Explorer opens a window the title bar of which points to the same location the worm has copies itself to, the worm copies itself to another location as a randomly named file and deletes its copy from the previous location.
Führender russischer Hersteller von Virenschutzsoftware
Entwickelt seit 1992
Dr.Web wird in mehr als 200 Ländern genutzt
Antivirus im SaaS-Modell seit 2007
Technischer Support rund um die Uhr

Dr.Web © Doctor Web
2003 — 2022

Doctor Web ist ein russischer Entwickler von IT-Sicherheitslösungen unter dem Markennamen Dr.Web. Dr.Web Produkte werden seit 1992 entwickelt.

Doctor Web Deutschland GmbH. Bäderstraße 1
76530 Baden-Baden