Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Aliases: W32/GOP-A, I-Worm.Gop.A, W32/GOP@MM, W32/Invery.A@MM

Win32/HLLW.GOP.196_3 is a worm spreading by means of files in an attachment of electronic mail messages. The subject of the message and filename are random and the file in the attachment always has a doubled extension. The worm spreads in the local computer network. It is programmed in Microsoft Visual C++ and its length is 60313 bytes but it is internally compressed and after unpacking its length increases to more than 188Kb.

Note: In following text a symbolic inscription %windir%. is used instead of name of the directory in which Windows operating system is installed. Naturally, this can be different with any single installation

After being run the worm creates files kernelsys32.exe and IMEKernel32.sys in the directory %windir%/System. In the system registry in the key HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun it creates the item IMEKernel32. It sets the value of the item so that the file kernelsys32.exe is activated after the system restart. By this the worm ensures its activation even after the system restart.
Then the worm sends out messages with attachments containing its copy to e-mail addresses found in the files on the disk. The first of the extensions of the file with the worm is one of the following: .bmp, .rtf, .doc, .txt, .gif, .jpeg or .jpg. Te second one may be .lnk or .exe.
On a network it spreads as follows: on the shared disk where the operating system is installed the worm creates the file Notdelw.i.n.v.e.r.y.i.f.y.exe in the directory Recycled. By means of the file win.ini modification it ensures that it will be run after the operating system restart.

© 1992-2004 ESET s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.