Classification

Category :

Malware

Type :

-

Aliases :

Mip, Archivo, Win32.HLLO.Mip

Summary

The 'Win32.HLLO.Mip' is a Windows-based overwriting virus created with Visual Basic 6. The virus is a PE EXE file 36384 bytes long. The virus is not encrypted or polymorphic. The virus requires MSVBVM60.DLL library to be present in system in order to run. The virus doesn't work if Windows is installed in folder named other than 'C:\Windows' as this data is hardcoded in virus body. The origin of the virus is most likely Uruguay judging from texts inside the virus and the effects it manifests itself with.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When an infected file is run for the first time, the virus first opens Notepad and prints an email address there (most likely the email address of virus creator). Then the virus installs itself to system as RUNDII32.EXE file. This file has Read-Only, Hidden and System attributes and won't be seen in Windows Explorer with default settings. The RUNDII32.EXE file is created in \Windows\System\ folder and SYSTEM.INI file is modified so the file that virus drops is always executed when Windows starts. The viru s modifies '[BOOT]' section in SYSTEM.INI file and adds its execution string at the beginning of the [BOOT] section.

Then the virus installs itself to memory - its task is visible in Task Manager as 'Calculadora', 'Texto', 'Paint', 'Kernel32', 'Windows', 'MI PC' or with some other names. The virus doesn't allow to kill its task from Task Manager. Multiple essences of the virus might be present in memory.

At startup the virus corrupts (zeroes length) or deletes ATTRIB.EXE, EDIT.COM, FORMAT.COM, DELTREE.EXE, EBD.CAB, MSCDEX.EXE and APPWIZ.CPL files. Being active in memory the the virus doesn't allow the above listed files to be restored and it also constantly (every few seconds) checks for ATTRIB.COM, DELTREE.COM, APPWIZ.CPL and EBD.CAB files and if they appear, sets Read-Only, Hidden and System attributes to them. The virus sets Read-Only, Hidden and System attributes to MSVBVM60.DLL library on both hard dis k and floppy disk (if file is found there). When a user tries to run REGEDIT.EXE file from \Windows\ folder, a message 'Another program is currently using this file.' appears and the Registry Editor is not executed.

The virus creates its own key in the Registry and keeps its decimal counter there:

HKCU\Software\VB and VBA Program Settings\CuriosidadN\Opciones
HKCU\Software\VB and VBA Program Settings\CuriosidadN\Opciones\Conteo

When a counter reaches certain value (larger than 90) the virus displays a messagebox with 'Curiosidad5' caption and 'Uruguay' text. When a user clicks OK button, the virus opens Notepad and starts to constantly output 'Curiosidad5, Uruguay, 2001, CurisidadN@yahoo.com' message there. After the user closes Notepad, the virus replaces the contents of AUTOEXEC.BAT with commands that should output a message in Spanish and delete all files from hard disk C: on next system startup. Finally the virus tries to rest art a system or makes it unusable so a user has to restart it himself.

When a floppy drive is accessed the virus tries to copy itself there with the following names: README.EXE, GRATIS.EXE, LEEME.EXE, TRUCOS.EXE, TEXTO.EXE, NOTAS.EXE, FREE.EXE, AVISO.EXE, DEMO.EXE, SOFTWARE.EXE, SHAREWARE.EXE, CHISTES.EXE, LEER.EXE, !WARING!.EXE, !DANGER!.EXE, FREEWARE.EXE, PASSWORD.EXE, CLAVE.EXE and CONTRASENA.EXE. The virus doesn't infect any files on a hard drive for some reason.