The 'Win32.HLLO.Mip' is a Windows-based overwriting virus created
with Visual Basic 6. The virus is a PE EXE file 36384 bytes long.
The virus is not encrypted or polymorphic. The virus requires
MSVBVM60.DLL library to be present in system in order to run. The
virus doesn't work if Windows is installed in folder named other
than 'C:\Windows' as this data is hardcoded in virus body. The
origin of the virus is most likely Uruguay judging from texts
inside the virus and the effects it manifests itself with.
When an infected file is run for the first time, the virus first
opens Notepad and prints an e-mail address there (most likely the
e-mail address of virus creator). Then the virus installs itself
to system as RUNDII32.EXE file. This file has Read-Only, Hidden
and System attributes and won't be seen in Windows Explorer with
default settings. The RUNDII32.EXE file is created in
\Windows\System\ folder and SYSTEM.INI file is modified so the
file that virus drops is always executed when Windows starts. The
viru s modifies '[BOOT]' section in SYSTEM.INI file and adds its
execution string at the beginning of the [BOOT] section.
Then the virus installs itself to memory - its task is visible in
Task Manager as 'Calculadora', 'Texto', 'Paint', 'Kernel32',
'Windows', 'MI PC' or with some other names. The virus doesn't
allow to kill its task from Task Manager. Multiple essences of
the virus might be present in memory.
At startup the virus corrupts (zeroes length) or deletes
ATTRIB.EXE, EDIT.COM, FORMAT.COM, DELTREE.EXE, EBD.CAB,
MSCDEX.EXE and APPWIZ.CPL files. Being active in memory the the
virus doesn't allow the above listed files to be restored and it
also constantly (every few seconds) checks for ATTRIB.COM,
DELTREE.COM, APPWIZ.CPL and EBD.CAB files and if they appear,
sets Read-Only, Hidden and System attributes to them. The virus
sets Read-Only, Hidden and System attributes to MSVBVM60.DLL
library on both hard dis k and floppy disk (if file is found
there). When a user tries to run REGEDIT.EXE file from \Windows\
folder, a message 'Another program is currently using this file.'
appears and the Registry Editor is not executed.
The virus creates its own key in the Registry and keeps its
decimal counter there:
HKCU\Software\VB and VBA Program Settings\CuriosidadN\Opciones
HKCU\Software\VB and VBA Program Settings\CuriosidadN\Opciones\Conteo
When a counter reaches certain value (larger than 90) the virus
displays a messagebox with 'Curiosidad5' caption and 'Uruguay'
text. When a user clicks OK button, the virus opens Notepad and
starts to constantly output 'Curiosidad5, Uruguay, 2001,
CurisidadN@yahoo.com' message there. After the user closes
Notepad, the virus replaces the contents of AUTOEXEC.BAT with
commands that should output a message in Spanish and delete all
files from hard disk C: on next system startup. Finally the virus
tries to rest art a system or makes it unusable so a user has to
restart it himself.
When a floppy drive is accessed the virus tries to copy itself
there with the following names: README.EXE, GRATIS.EXE,
LEEME.EXE, TRUCOS.EXE, TEXTO.EXE, NOTAS.EXE, FREE.EXE, AVISO.EXE,
DEMO.EXE, SOFTWARE.EXE, SHAREWARE.EXE, CHISTES.EXE, LEER.EXE,
!WARING!.EXE, !DANGER!.EXE, FREEWARE.EXE, PASSWORD.EXE, CLAVE.EXE
and CONTRASENA.EXE. The virus doesn't infect any files on a hard
drive for some reason.
[Analysis: Alexey Podrezov, F-Secure; January 2001]