VIRUS ALERT: W32.HLLW.Anig
Results 1 to 6 of 6

Thread: VIRUS ALERT: W32.HLLW.Anig

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884

    VIRUS ALERT: W32.HLLW.Anig

    Yep, another worm to be worried about.

    Discovered on: January 29, 2004
    Last Updated on: January 30, 2004 12:15:31 PM

    Here is what Symantec has to say about it.

    http://securityresponse.symantec.com...hllw.anig.html
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Hmm so I dont get how its spread? port 5190

    An AOL port, does that mean its checking the shares of users connected through AOL?
    That which does not kill me makes me stronger -- Friedrich Nietzche

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    # Stores keystrokes and passwords collected in the file, %System\NTKBH32.dll.

    # Opens up a backdoor on TCP port 5190 and listens for commands from the attacker.
    I'd imagine it's for the "attacker" to collect whatever was recorded. He probably set it to 5190 so that admins wouldn't close off that port at their firewalls since quite a few allow IMing at work. Might also be to make it look like traffic for AIM. That way home users aren't suspicious.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    More than likely it is using that port in attempts to hide the fact that it is actually a malicious service. Most people see 5190 and assume an end user is mucking around with AIM.

    As a side note, this technique is a commonly used with setting up a NetCat listener.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Thanks for the heads up, I was tooling around NAI.com getting pissed that McAfee hasn't posted it yet but they have it under a different name. Lol.

    W32/Dfcsvc.worm

    Edit/ Too asnswer the distribution method question

    "The worm copies itself through ADMIN$ & IPC$ shares and installs on a remote machine.

    Note: When successfully copied onto a remote machine, the worm is executed remotely as a service - the infected machine does not require reboot for the worm to be running.

    After the first restart NTGINA.DLL recieves control as part of the WINLOGON.EXE process, and keylogging commences."

    From NAI

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    So if I am understanding this correctly, the W32.HLLW is the mane name, and the .Anig describes the variant?

    If that's the case, then this has been around awhile (not in this version obviously)

    Variations:

    http://www.symantec.com/avcenter/ven...llw.bymer.html
    http://securityresponse.symantec.com...fizzer@mm.html

    So on the upside, it's never reached higher than a category 2. On the downside, some of the variants include a mass mailer...

    So am I understanding this info correctly? Wouldn't be the first time I was full o' crap.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •