Pour les utilisateurs

Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Recherche
Recherche

Contacter-nous !
Support 24/24 | Rules regarding submitting

Envoyer un message

Requête à l'aide du formulaire

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -
Créer une nouvelle requête

Nous téléphoner

0 825 300 230

Profil

FR

RU CN DE EN ES FR IT JP KZ UZ PL BY
Fermer
Services support
Scanners
Dr.Web vxCube
Démo
Bibliothèque virale
Base documentaire

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Actualités

Win32.HLLM.Bihup

(Win32/Weko.C@mm, Win32/Updater.D!Worm, Win32.Worldcup.C@mm, W32/Bihup.worm, Email-Worm.Win32.Updater.d, WORM_BIHUP.A, I-Worm/Updater.D, W32.AJM.Worm, Worm/Updater.D)

Added to the Dr.Web virus database: 2002-08-07

Virus description added:

Description

Win32.HLLM.Bihup is a mass-mailing worm, it affects computers running under Windows 95/98/ME/NT/2000/XP operating systems.
The worm propagates via e-mail to the addresses of unread (or marked as unread) messages found in MS Outlook Express mail client of the infected computer.
The worm\'s payloads trigger on several dates and hole time intervals related to the infected computer\'s system time. On its trigger dates it either displays different false messages on the screen or stops cursor functioning, or restricts the mouse movement and swaps its buttons.

Launching

The worm is activated if only an attachment file is launched by the user.

To secure its automatic run at every system reboot it adds the value Explorer32 = %System%\\[one of the above listed file names] to the resgistry key

HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\

(where %System% is the Windows system folder). This registry key is changed every time the worm activates and another viral copy name replaces the previous one.

Spreading

Win32.HLLM.Bihup propagates via e-mail using MAPI (Mail Application Programming Interface).
Being activated after the system restart the worm searches for an active process of Microsoft Outlook Express and if it succeeds, it begins to spread its viral copies to the addresses found in unread (or marked as unread) messages of this mail client. The worm\'s copies are sent as attachments to such messages in the form of executable files. The file names are chosen by the worm depending on the system\'s clock and may have the following names: 

2002.exe
Go Korea.exe
Heddink.exe
RedDevil.exe
WorldCup.exe
Besides, there may be attachment files with Korean names that can be rendered in a readable way only in systems with Korean fonts installed. The subject and the body of the message can be both in English and Korean. The attachment size is about 176 Kb.

Action

If first run it does not manifest itself in any way but it places its several copies to Windows system folder (by default: C:\\Windows\\System for Windows 95-Me and C:\\Winnt\\System32 for Windows NT/2000/XP): 

BihUpdate.exe
MsCrt32.exe
Temp32.exe
SysRtw2.exe
User32Rem.exe
UserGDL.exe
Win32.Dll.exe
Its another viral copy Krn32Dll.exe is placed to Windows folder.

The worm becomes activated only after Outlook Express is run. And if it can not send its copy it stays in memory and waits for Outlook Express to be launched. After the propagation procedure is over the worm performs other actions related to the system date on the infected system:

  1. On Thursdays it displays a system message written in Korean with the title Message From A
  2. In June, after the self-propagation procedure it displays in Outlook Express program window a message written in Korean and English: Here We Go! World Cup Corea!
  3. On January, 1 it restricts the cursor movement to a square of one pixel so the cursor is \"frozen\".
  4. On July, 7 it performs same actions
  5. In November the worm swaps the mouse buttons functions
  6. In December it tiles all the windows open in the system.
Having performed these actions the worm terminates its activity for the current Windows session.