Description
Win32.HLLM.Generic.276 [aka Wullik] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The worm is written in high-level programming language MS Visual Basic. The size of the program module of the worm, UPX-packed, is 49, 152 bytes.
Spreading
The worm makes attempts to disseminate through MS Outlook. It tries to dispatch its viral copies to all the addresses found in local Windows Address Book. The mail message infected with the worm may look as follows:
The subject and the message body are composed in Chinese.
Attachment: MShelp.EXE
Action
Being activated, the worm creates its copy named Mstray.exe in the Windows folder (in Windows 9x/ME/XP it’s C:\Windows, in Windows NT/2000 it’s C:\WINNT ) Mstray.exe and amends accordingly the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"RavTime" = "%WinDir%\Mstray.exe"
which secures its automatic execution at every Windows startup.
The same value as above is added to the following registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
The worm performs the following actions in the affected system:
- It copies itself as winfile.exe to the floppy drive А.
-
It disables viewing of hidden and system files by modifying the registry entry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advance
Hidden=0 - It displays the following message on the computer screen:
Title: Warning!
Text: This File Has Been Damage! - If a user through Explorer opens a window the title bar of which points to the same location the worm has copies itself to, the worm copies itself to another location as a randomly named file and deletes its copy from the previous location.
