When W32.HLLW.GOP.G@mm is executed, it does the following:
1. Copies itself as %System%\WindowsAgent.exe.
NOTE: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Creates the Drocerrbk.sys file, in which it stores stolen passwords.
3. Adds the value:
to the registry key:
4. Performs its mass-mailing routine. Mostly, the email message it sends will contain a subject and message in Chinese. The attachment will be a .bmp, .rtf, .doc, .txt, .gif, .jpeg, or .jpg file, which is taken from your computer.
To the original file name, the worm adds a second file extension, either .exe or .lnk. For example, if the original file name is Birthday pic.bmp, the name of the attachment will be Birthday pic.bmp.exe or Birthday pic.bmp.lnk.
The worm searches for email addresses in .htm and .html files, and in many different email mailbox files. After gathering all the email addresses the worm can find, it uses its own SMTP engine to send an email message that can be executed (on unpatched systems) when it is read by the recipient.
NOTE: The worm takes advantage of the IFRAME vulnerability that allows Microsoft Outlook to automatically execute attachments. Information on this vulnerability can be found at: http://www.microsoft.com/windows/ie/...8/default.asp.
5. Searches the network drives and copies itself to \Recycled\Notdelw.i.n.v.e.r.y.i.f.y.exe on any mapped drive on which it can find an operating system. Then, the worm sets that particular file to run at startup, by modifying the Win.ini file.