Win32.HLLM.Bihup

Virus Description
Win32.HLLM.Bihup is a mass-mailing worm, it affects computers running under Windows 95/98/ME/NT/2000/XP operating systems.
The worm propagates via e-mail to the addresses of unread (or marked as unread) messages found in MS Outlook Express mail client of the infected computer.
The worm's payloads trigger on several dates and hole time intervals related to the infected computer's system time. On its trigger dates it either displays different false messages on the screen or stops cursor functioning, or restricts the mouse movement and swaps its buttons.



--------------------------------------------------------------------------------

Virus Propagation
Win32.HLLM.Bihup propagates via e-mail using MAPI (Mail Application Programming Interface).
Being activated after the system restart the worm searches for an active process of Microsoft Outlook Express and if it succeeds, it begins to spread its viral copies to the addresses found in unread (or marked as unread) messages of this mail client. The worm's copies are sent as attachments to such messages in the form of executable files. The file names are chosen by the worm depending on the system's clock and may have the following names:
2002.exe
Go Korea.exe
Heddink.exe
RedDevil.exe
WorldCup.exe

Besides, there may be attachment files with Korean names that can be rendered in a readable way only in systems with Korean fonts installed. The subject and the body of the message can be both in English and Korean. The attachment size is about 176 Kb.



--------------------------------------------------------------------------------

System Infection
The worm is activated if only an attachment file is launched by the user. If first run it does not manifest itself in any way but it places its several copies to Windows system folder (by defaulr: C:\Windows\System for Windows 95-Me and C:\Winnt\System32 for Windows NT/2000/XP):
BihUpdate.exe
MsCrt32.exe
Temp32.exe
SysRtw2.exe
User32Rem.exe
UserGDL.exe
Win32.Dll.exe

Its another viral copy Krn32Dll.exe is placed to Windows folder.
To secure its automatic run at every system reboot it adds the value Explorer32 = %System%\[one of the above listed file names] to the resgistry key

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

(where %System% is the Windows system folder). This registry key is changed every time the worm activates and another viral copy name replaces the previous one.
The worm becomes activated only after Outlook Express is run. And if it can not send its copy it stays in memory and waits for Outlook Express to be launched. After the propagation procedure is over the worm performs other actions related to the system date on the infected system:

On Thursdays it displays a system message written in Korean with the title Message From A
In June, after the self-propagation procedure it displays in Outlook Express program window a message written in Korean and English: Here We Go! World Cup Corea!
On January, 1 it restricts the cursor movement to a square of one pixel so the cursor is "frozen".
On July, 7 it performs same actions
In November the worm swaps the mouse buttons functions
In December it tiles all the windows open in the system.
Having performed these actions the worm terminates its activity for the current Windows session.



--------------------------------------------------------------------------------

Virus Damage
In case of a system infection the worm performs the following actions undesirable for the user:
it sends its viral copies via e-mail with the infected computer address in the Sender field
being activated it displays various messages on a screen
places its viral copies to the system
introduces changes to the system registry
stops cursor movement on the computer screen
restricts the mouse movement and swaps its button's function.



--------------------------------------------------------------------------------