W32.HLLW.Annil - qk193.zip.exe.scr

tasklist.org		A comprehensive list of processes running in your computer
		tasklist \| attachlist

bookmark this website!		total tasks: 16297

AttachList is a list of email attachment files that viruses usually send in email. It contains the attached file names, typical subjects and messages, the name of the viruses that send them, and instruction on how to remove these viruses.

most requested

Browse attachlist by file name:

| a | b | c | d | e | f | g | h | i | j | k | l | m | n | o | p | q | r | s | t | u | v | w | x | y | z |

Name: W32.HLLW.Annil

Sender:

Uses the format (email_name@domain), where email_name and domain may
be selected from a list that the worm carries.

Subject:

%s is screwing up.
%s not working.
: New billing procedure.
About %s
Bomb threat!
Bomb!
Do you want this?
Faked emode.com results.
Hello!
Hilarous joke.
I can't load %s...
I finally finished my program!
I found your password :)
I've been hurt. But am alright.
Incorrect Address...
Klex virus making its rounds.
News!
Old classmate.
Postmaster: Message Failure
Postmaster: Message Failure
Postmaster: Undeliverable Mail
Problem with %s...
School Policy!
School danger!.
School report.
School tragedy!
Tommorow?
WTF is up with %s!!!
What is this?
Your beta test has arrived.
Your dad.
Your family.
Your request.

Message:

Attention, Windows user:
Can you tell me what this is?
cool huh?
Everytime I try to load the site I get sent this file.
Everytime I type the address it keeps redirecting me to this file.
Evidence!
Ha. Remember this guy?
Hey, I found this on Download.com a while ago and forgot to send it
too you. I thought you may be interested. It should be attached, if
it isn't just e-mail me again.
Hey, I managed to get your password for your e-mail. I suggest you
use this utility (I attached it) to fortify your account and you can
also use it to retrieve other peoples passwords (don't try it on me,
since I already used it to protect mine). I'll keep my name secret, I
don't want to get sued :) . BTW, I'm sending this to more people than
just you, but I used it on multiple people.
I can't seem to get the site working, it always sends me to a URL
with this file. What's wrong?
I did a search for your name and I think someone faked your emode.com
test results. See what you think:
If you've been wondering why I haven't been staying in touch lately,
it's because I've been working on a program in my spare time. I've
finally got it to a testable state, and was wondering if you could
give me feedback on it. Thanks in advance.
I got this from my dad's old attorney, he said it could be very
useful to you.
I have good reasoning! See the image quickly!
I hope you're the one who asked for this, I don't really remember,
but thought I might as well send it anyway.
I'm typing this in a hurry, because I've got to go right away. But my
computer was infected by the Klez virus, and I didn't realize it until
a few days ago. You may have been infected as well. I apoligize!. This
nifty little program fixes everything if you have in fact, been
infected.
Is there any way to keep it from sending me this file? Thanks.
I thought you might enjoy this. Birds are so funny.
Keeps dloading this.
Outlook:Secure text document attached.
Results automatically attached.
Security Signature: 188X-08305-RETNMAIL
Security Signature: 165X-08605-RETNMAIL
Security Signature: 165X-08605-UNDLVRMAIL
Someone wants me to report this without giving names.
Sorry, I think I was supposed to send this earlier
Sorry to bother you, but when I try to load the site it always gives
me this file.
The bomb threat you may get today might be real, see the image:
This demands immediate attention.
The following message could not be sent because the recipients
mailbox was full.
The following message could not be sent because the recipients
mailbox was no longer available.
This message must have been sent to me by mistake, appearantly it's
meant for you. Don't worry I didn't read all of it :).
We have detected a security gap within Windows internal dll's, we
suggest all users run this program which seals the gap. Otherwise,
any damaged data will not be compinsated for by Microsoft.
We have started a new billing procedure, see the attached invoice for
more information.
Well a lot of people haven't heard very much about my "injury", but
my insurance company said I should give this to everybody I know. Run
it and you'll understand everything.
Why do you let the kids play this awful game?
Will this work for tommorow?
Your dad told me to send this to you, i think you'll understand.

Attachment:

(random).bat
(random).com
(random).scr
apache.exe.bat
apache.exe.com
apache.exe.exe
apache.exe.scr
autoupdate.exe.bat
autoupdate.exe.com
autoupdate.exe.exe
autoupdate.exe.scr
billing.scr
BlueS-Injury.scr.scr
bomb.scr.bat
bomb.scr.com
bomb.scr.exe
cgibin.com.bat
cgibin.com.com
cgibin.com.exe
cgibin.com.scr
define.bat
define.com
define.scr
dogs.scr.scr
doom.bat
doom.com
doom.exe
file.scr.scr
flash6.com.bat
flash6.com.com
flash6.com.exe
flash6.com.scr
gettogether.scr.scr
guns.scr.bat
guns.scr.com
guns.scr.exe
index.scr.bat
index.scr.com
index.scr.exe
index.scr.scr
joke.scr.scr
KlezRem.bat
KlezRem.com
KlezRem.exe
KlezRem.pif
ie6upg.exe.bat
ie6upg.exe.com
ie6upg.exe.exe
ie6upg.exe.scr
Invoice.scr.scr
MFCApp.exe.scr
MSSecure.scr.scr
msupdate.exe.bat
msupdate.exe.com
msupdate.exe.exe
msupdate.exe.scr
oddfile.exe.bat
oddfile.exe.com
oddfile.exe.exe
oddfile.exe.scr
powder.scr.bat
powder.scr.com
powder.scr.exe
PWordGet-Lite.bat
PWordGet-Lite.com
PWordGet-Lite.exe
PWordGet-Lite.pif
qk193.zip.exe.bat
qk193.zip.exe.com
qk193.zip.exe.exe
qk193.zip.exe.scr
results.scr
return.bat
return.com
return.scr
screenshot.scr.bat
screenshot.scr.com
screenshot.scr.exe
screenshot.scr.scr
servrequest.com.bat
servrequest.com.com
servrequest.com.exe
servrequest.com.scr
shooting.com.bat
shooting.com.com
shooting.com.exe
SnowBall.bat
SnowBall.com
SnowBall.exe
SnowBall.pif
underdog.scr
unknownurl.pif.bat
unknownurl.pif.com
unknownurl.pif.exe
unknownurl.pif.scr
violence.pif.bat
violence.pif.com
violence.pif.exe
will.scr.scr
yourmsg.scr.scr

Comments: A mass-mailing worm that uses its own SMTP engine to spread.

Symptoms:


 Displays a fake message saying "File execution aborted". 
 Creates a subkey to,
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion It uses the
worm file name as the key name. 
 Adds a value that refers to its copy to the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun so that
the worm runs when you restart Windows. 
 Creates a registry key: HKEY_LOCAL_MACHINESoftwareMcAfeeScan95 and
adds the following values to this key: "bNetworkAlert"=0
"bVShieldEnabled"=0 "UpgradeEXE"="Hire Me" 
 Set the values to: "Start Page"="http: //www.cnn.com"
"NotifyDownloadComplete"=0 in the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain 
 Set the value to: "DisableRegistryTools"=1 in the registry key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

 Set the following values:
HKEY_CURRENT_USERSoftwareKazaaAdvanced"ScanFolder"=1
HKEY_CURRENT_USERSoftwareKazaaInstantMessaging"IgnoreAll"=1
HKEY_CURRENT_USERSoftwareKazaaLocalContent"DisableSharing"=0
HKEY_CURRENT_USERSoftwareKazaaResultsFilter"adult_filter_level"=0
HKEY_CURRENT_USERSoftwareKazaaResultsFilter"bogus_filter"=0
HKEY_CURRENT_USERSoftwareKazaaResultsFilter"firewall_filter"=0
HKEY_CURRENT_USERSoftwareKazaaResultsFilter"virus_filter"=0
HKEY_CURRENT_USERSoftwareKazaaSettings"FolderWarning"=0
HKEY_CURRENT_USERSoftwareKazaaUserDetails"AutoConnected"=1

Recommended Cleanup Software: We found that Easy SpyRemover is the most effective tool for removing this file.

Manual Removal Instructions: Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode or VGA mode.
Run a full system scan and delete all the files detected as W32.HLLW.Annil@mm.
Delete the values that were added to the registry.