MS06-014: HLLP.Philis.bq - Network virus uses malware components written in Chinese
Posted
Sat, Nov 18 2006 0:06
by
Harry Waldron
This new file infector virus can spread by infecting unprotected network shares and on systems where the MS06-014 patch is not installed. The component written in Chinese is difficult to remove and research should be conducted for a good cleaning solution for infected systems.
MS06-014: HLLP.Philis.bq - Network virus uses malware components written in Chinese
http://vil.nai.com/vil/content/v_140922.htm
QUOTE: Overview: W32/HLLP.Philis.bq is a file infecting virus. It searches for executable files on the infected machine to prepend its viral code. It is also responsible for dropping a .DLL file, which downloads a password stealing trojan from a website.
DAT 4899 RELEASE: McAfee 4899 DAT files are being released early as there is concern that this thread will spread globally. The web site hosting malware downloaded by this threat also contains Exploit-MS06-014 to automatically download and installs this virus on vulnerable systems.
Aliases
* PE_LOOKED.LF-O (Trend)
* W32.Looked.O (Symantec)
* Win32/Looked.BZ (CA)
METHOD OF INFECTION: The virus tries to spread via existing network shares. It searches for all active machines within the subnet. When it finds an active machine it sends an ICMP ping request and waits for a response. After getting the ping response it tries to access the ADMIN$, IPC$ and any other shares that might exist on the machine.