The December 2011 edition of the MSRT includes detection and clean-up for the Win32/Helompy Family. Helompy is a worm that propagates by copying itself to the root of removable drives, and its main payload is to record account credentials and login information and send them to a remote server, where the attacker could retrieve them for use.
At its roots, Helompy is a compiled AutoIt script which we first encountered in the wild in 2009. Like most malware scripted with AutoIt, it presents itself in an innocent way by using the icon of a folder, thus tricking the user into thinking they are purely opening a folder when double-clicking it. Below is an example of the file icon used by Win32/Helompy:
To add more credibility, once you launch the malware, it creates a directory with the same name and opens the folder using a new instance of Explorer:
The worm creates a file folder and copies itself to that directory with ‘hidden’, ‘system’ and ‘read-only’ file attributes, to hide it from view. The new copy of the worm may be named “configuration.exe”, “1.exe” or “lsass.exe”, as you can see in the image below:
The registry is modified to run the worm copy when Windows starts, as illustrated below:
As a payload, the worm awaits login information to be entered for various websites or services:
The worm records all the pressed keystrokes and saves them in a file located usually as the following:
- [drive]:DebugDLLCatRootdllsystems.dll where [drive] is C or D.
When the account information has been logged, it is sent to a remote server, using a server-side script:
- <remote server>/cmd.php?command=[file name]
Although this worm isn’t sophisticated, it managed to infect quite a number of computers. It’s interesting to see the distribution of Helompy based on locale over the last four months, below:
As we can clearly see from the table, more than 60% of the infections occurred in Turkey. This could suggest the initial point of propagation, or the main target.
By adding Win32/Helompy to this month’s release of the MSRT, we hope to quickly remove the malware from those who are infected and limit their exposure to this keyboard logger, and subsequently eradicating Helompy from the ecosystem.
SHA1 of prevalent samples:
— Daniel Radu, MMPC