WORM_HELOMPY.KYL
Worm/Autoit.ABJA(AVG), Trojan.Win32.Autoit.wt(kaspersky), Worm:Win32/Helompy.A(Microsoft), Win32/Autoit.FL(ESET), W32.Harakit(Norton)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
![](/vinfo/imgFiles/legend.jpg)
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.
As of this writing, the said sites are inaccessible.
TECHNICAL DETAILS
551,669 bytes
EXE
28 Jan 2014
Arrival Details
This worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following copies of itself into the affected system and executes them:
- C:\Win\lsass.exe
- If drive C is not a fixed drive or inaccessible drop in the following.
- D:\programs\lsass.exe
It drops the following files:
- C:\Win\names.txt - contains the filename of the file to download.
It creates the following folders:
- C:\Win
- If C is not a fixed drive or not accessible create the following folder.
- D:\programs
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
run32 = "{Malware Path and Filename}"
Propagation
This worm drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.
Download Routine
This worm accesses the following websites to download files:
- http://peradjoka.{BLOCKED}5.com/{User name}/{File name}.rar
- http://peradjoka.{BLOCKED}5.com/{Computer name}/{File name}.rar
As of this writing, the said sites are inaccessible.
Stolen Information
This worm sends the gathered information via HTTP POST to the following URL:
- http://peradjoka.{BLOCKED}5.com/cmd.php?command={Stolen Information}