W32.HLLW.Aritim is a worm with process-injection capabilities that attempts to spread itself through file-sharing networks. The existence of the file Aritima.exe is an indication of a possible infection.
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x
THREAT ASSESSMENT
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Distribution
Shared drives: Attempts to spread through the KaZaA file-sharing network
TECHNICAL DETAILS
When W32.HLLW.Aritim is executed, it does the following:
Copies itself as the following files:
%System%\Aritima.exe
%System%\Aritima.dll
NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Copies itself to the download folder of the KaZaA file-sharing program, and uses the following filenames:
Windows XP Keygen.exe
Keygen.exe
Terminator 3.exe
EnterTheMatrix Keygen.exe
Matrix Reloaded.DivX.2003.exe
Resident Evil.DivX.2002.exe
Visual Studio Keygen.exe
Visual C++ Keygen.exe
Visual Basic 6 Keygen.exe
AdAware 6.0 pro Keygen.exe
The Sims Keygen.exe
Injects the Aritima.dll component into one or more running processes.
Upon exiting the injected process, the aritima.dll component is executed.
Copies the file:
%System%\Aritima.exe
to:
C:\Documents and Settings\All Users\Start Menu\Programs\StartUp\aritima56.exe
Adds the value:
"Aritima" = "C:\windows\system32\aritima.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm starts when Windows starts.