Discussion in 'malware problems & news' started by Tinribs, Aug 11, 2002.

Thread Status:
Not open for further replies.
  1. Tinribs

    Tinribs Registered Member

    Mar 14, 2002
    Virus Description
    Win32.HLLM.Bihup is a mass-mailing worm, it affects computers running under Windows 95/98/ME/NT/2000/XP operating systems.
    The worm propagates via e-mail to the addresses of unread (or marked as unread) messages found in MS Outlook Express mail client of the infected computer.
    The worm's payloads trigger on several dates and hole time intervals related to the infected computer's system time. On its trigger dates it either displays different false messages on the screen or stops cursor functioning, or restricts the mouse movement and swaps its buttons.


    Virus Propagation
    Win32.HLLM.Bihup propagates via e-mail using MAPI (Mail Application Programming Interface).
    Being activated after the system restart the worm searches for an active process of Microsoft Outlook Express and if it succeeds, it begins to spread its viral copies to the addresses found in unread (or marked as unread) messages of this mail client. The worm's copies are sent as attachments to such messages in the form of executable files. The file names are chosen by the worm depending on the system's clock and may have the following names:
    Go Korea.exe

    Besides, there may be attachment files with Korean names that can be rendered in a readable way only in systems with Korean fonts installed. The subject and the body of the message can be both in English and Korean. The attachment size is about 176 Kb.


    System Infection
    The worm is activated if only an attachment file is launched by the user. If first run it does not manifest itself in any way but it places its several copies to Windows system folder (by defaulr: C:\Windows\System for Windows 95-Me and C:\Winnt\System32 for Windows NT/2000/XP):

    Its another viral copy Krn32Dll.exe is placed to Windows folder.
    To secure its automatic run at every system reboot it adds the value Explorer32 = %System%\[one of the above listed file names] to the resgistry key


    (where %System% is the Windows system folder). This registry key is changed every time the worm activates and another viral copy name replaces the previous one.
    The worm becomes activated only after Outlook Express is run. And if it can not send its copy it stays in memory and waits for Outlook Express to be launched. After the propagation procedure is over the worm performs other actions related to the system date on the infected system:

    On Thursdays it displays a system message written in Korean with the title Message From A
    In June, after the self-propagation procedure it displays in Outlook Express program window a message written in Korean and English: Here We Go! World Cup Corea!
    On January, 1 it restricts the cursor movement to a square of one pixel so the cursor is "frozen".
    On July, 7 it performs same actions
    In November the worm swaps the mouse buttons functions
    In December it tiles all the windows open in the system.
    Having performed these actions the worm terminates its activity for the current Windows session.


    Virus Damage
    In case of a system infection the worm performs the following actions undesirable for the user:
    it sends its viral copies via e-mail with the infected computer address in the Sender field
    being activated it displays various messages on a screen
    places its viral copies to the system
    introduces changes to the system registry
    stops cursor movement on the computer screen
    restricts the mouse movement and swaps its button's function.

Thread Status:
Not open for further replies.