Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/HLLW.GOP.196_3

Aliases: W32/GOP-A, I-Worm.Gop.A, W32/GOP@MM, W32/Invery.A@MM

Win32/HLLW.GOP.196_3 is a worm spreading by means of an email file attchment.  The subject of the message and filename are random and the file in the attachment always has a doubled extension.  The worm spreads in the local computer network.  It is programmed in Microsoft Visual C++ and its size is 60313 bytes but it is internally compressed and after unpacking its size increases to more than 188Kb.

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which Windows operating system is installed. Naturally, this can be different with any single installation

After being run the worm creates files kernelsys32.exe and IMEKernel32.sys in the directory %windir%/System.  In the system registry in the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run it creates the item IMEKernel32.  It sets the value of the item so that the file kernelsys32.exe is activated after the system restart.  By doing this the worm ensures its activation even after a system restart.  Then the worm sends out messages with attachments containing its copy to email addresses found in the files on the disk.  The first of the extensions of the file with the worm is one of the following: .bmp, .rtf, .doc, .txt, .gif, .jpeg or .jpg.  The second one may be .lnk or .exe.  On a network it spreads as follows: on the shared disk where the operating system is installed the worm creates the file Notdelw.i.n.v.e.r.y.i.f.y.exe in the directory Recycled.  By means of the file win.ini modification it ensures that it will be run after an operating system restart.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.