Summary

The 'Win32.HLLO.Mip' is a Windows-based overwriting virus created with Visual Basic 6. The virus is a PE EXE file 36384 bytes long. The virus is not encrypted or polymorphic. The virus requires MSVBVM60.DLL library to be present in system in order to run. The virus doesn't work if Windows is installed in folder named other than 'C:\Windows' as this data is hardcoded in virus body. The origin of the virus is most likely Uruguay judging from texts inside the virus and the effects it manifests itself with.

When an infected file is run for the first time, the virus first opens Notepad and prints an e-mail address there (most likely the e-mail address of virus creator). Then the virus installs itself to system as RUNDII32.EXE file. This file has Read-Only, Hidden and System attributes and won't be seen in Windows Explorer with default settings. The RUNDII32.EXE file is created in \Windows\System\ folder and SYSTEM.INI file is modified so the file that virus drops is always executed when Windows starts. The viru s modifies '[BOOT]' section in SYSTEM.INI file and adds its execution string at the beginning of the [BOOT] section.

Then the virus installs itself to memory - its task is visible in Task Manager as 'Calculadora', 'Texto', 'Paint', 'Kernel32', 'Windows', 'MI PC' or with some other names. The virus doesn't allow to kill its task from Task Manager. Multiple essences of the virus might be present in memory.

At startup the virus corrupts (zeroes length) or deletes ATTRIB.EXE, EDIT.COM, FORMAT.COM, DELTREE.EXE, EBD.CAB, MSCDEX.EXE and APPWIZ.CPL files. Being active in memory the the virus doesn't allow the above listed files to be restored and it also constantly (every few seconds) checks for ATTRIB.COM, DELTREE.COM, APPWIZ.CPL and EBD.CAB files and if they appear, sets Read-Only, Hidden and System attributes to them. The virus sets Read-Only, Hidden and System attributes to MSVBVM60.DLL library on both hard dis k and floppy disk (if file is found there). When a user tries to run REGEDIT.EXE file from \Windows\ folder, a message 'Another program is currently using this file.' appears and the Registry Editor is not executed.

The virus creates its own key in the Registry and keeps its decimal counter there:

 HKCU\Software\VB and VBA Program Settings\CuriosidadN\Opciones
 HKCU\Software\VB and VBA Program Settings\CuriosidadN\Opciones\Conteo

When a counter reaches certain value (larger than 90) the virus displays a messagebox with 'Curiosidad5' caption and 'Uruguay' text. When a user clicks OK button, the virus opens Notepad and starts to constantly output 'Curiosidad5, Uruguay, 2001, CurisidadN@yahoo.com' message there. After the user closes Notepad, the virus replaces the contents of AUTOEXEC.BAT with commands that should output a message in Spanish and delete all files from hard disk C: on next system startup. Finally the virus tries to rest art a system or makes it unusable so a user has to restart it himself.

When a floppy drive is accessed the virus tries to copy itself there with the following names: README.EXE, GRATIS.EXE, LEEME.EXE, TRUCOS.EXE, TEXTO.EXE, NOTAS.EXE, FREE.EXE, AVISO.EXE, DEMO.EXE, SOFTWARE.EXE, SHAREWARE.EXE, CHISTES.EXE, LEER.EXE, !WARING!.EXE, !DANGER!.EXE, FREEWARE.EXE, PASSWORD.EXE, CLAVE.EXE and CONTRASENA.EXE. The virus doesn't infect any files on a hard drive for some reason.

[Analysis: Alexey Podrezov, F-Secure; January 2001]