WORM_HELOMPY.KYL

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

As of this writing, the said sites are inaccessible.

Arrival Details

This worm arrives via removable drives.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• C:\Win\lsass.exe
• If drive C is not a fixed drive or inaccessible drop in the following.
• D:\programs\lsass.exe

It drops the following files:

• C:\Win\names.txt - contains the filename of the file to download.

It creates the following folders:

• C:\Win
• If C is not a fixed drive or not accessible create the following folder.
• D:\programs

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
run32 = "{Malware Path and Filename}"

Propagation

This worm drops copies of itself in removable drives. These dropped copies use the names of the folders located on the said drives for their file names.

Download Routine

This worm accesses the following websites to download files:

• http://peradjoka.{BLOCKED}5.com/{User name}/{File name}.rar
• http://peradjoka.{BLOCKED}5.com/{Computer name}/{File name}.rar

As of this writing, the said sites are inaccessible.

Stolen Information

This worm sends the gathered information via HTTP POST to the following URL:

• http://peradjoka.{BLOCKED}5.com/cmd.php?command={Stolen Information}