Description
Win32.HLLM.Bihup is a mass-mailing worm, it affects computers running under Windows 95/98/ME/NT/2000/XP operating systems.
The worm propagates via e-mail to the addresses of unread (or marked as unread) messages found in MS Outlook Express mail client of the infected computer.
The worm\'s payloads trigger on several dates and hole time intervals related to the infected computer\'s system time. On its trigger dates it either displays different false messages on the screen or stops cursor functioning, or restricts the mouse movement and swaps its buttons.
Launching
The worm is activated if only an attachment file is launched by the user.
To secure its automatic run at every system reboot it adds the value Explorer32 = %System%\\[one of the above listed file names] to the resgistry key
(where %System% is the Windows system folder). This registry key is changed every time the worm activates and another viral copy name replaces the previous one.
Spreading
Win32.HLLM.Bihup propagates via e-mail using MAPI (Mail Application Programming
Interface).
Being activated after the system restart the worm searches for an active process of Microsoft Outlook Express and if it succeeds, it begins to spread its viral copies to the addresses found in unread (or marked as unread) messages of this mail client. The worm\'s copies are sent as attachments to such messages in the form of executable files. The file names are chosen by the worm depending on the system\'s clock and may have the following names:
2002.exe Go Korea.exe Heddink.exe RedDevil.exe WorldCup.exeBesides, there may be attachment files with Korean names that can be rendered in a readable way only in systems with Korean fonts installed. The subject and the body of the message can be both in English and Korean. The attachment size is about 176 Kb.
Action
If first run it does not manifest itself in any way but it places its several copies to Windows system folder (by default: C:\\Windows\\System for Windows 95-Me and C:\\Winnt\\System32 for Windows NT/2000/XP):
BihUpdate.exe MsCrt32.exe Temp32.exe SysRtw2.exe User32Rem.exe UserGDL.exe Win32.Dll.exeIts another viral copy Krn32Dll.exe is placed to Windows folder.
The worm becomes activated only after Outlook Express is run. And if it can not send its copy it stays in memory and waits for Outlook Express to be launched. After the propagation procedure is over the worm performs other actions related to the system date on the infected system:
- On Thursdays it displays a system message written in Korean with the title Message From A
- In June, after the self-propagation procedure it displays in Outlook Express program window a message written in Korean and English: Here We Go! World Cup Corea!
- On January, 1 it restricts the cursor movement to a square of one pixel so the cursor is \"frozen\".
- On July, 7 it performs same actions
- In November the worm swaps the mouse buttons functions
- In December it tiles all the windows open in the system.