Spy Sweeper with AntiVirus

The most award-winning anti-spyware software

Spy Sweeper with Antivirus

Get serious about removing spyware with Spy Sweeper - the award-winning anti-spyware software trusted by millions of home computer users.

Add to Cart Button

$29.95

Spyware & Virus Directory

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 

W32.HLLW.Razac@mm

Discovered: September 25, 2003
Updated: October 3, 2003 03:07:11 PM ZE9
Type: Worm
Infection Length: 390,144
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

SUMMARY


W32.HLLW.Razac@mm is a mass-mailing worm that uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book.
The email has the following characteristics:

Subject: !!!!Hoy es 11!!!!!
Message: Hoy es 11!!!!! el 11 de abril del 2002 murieron miles de personas mira esto!!!
Attachment: C:11 De Abril un dia de Luto.pif

The worm attempts to spread itself through some file-sharing networks, such as KaZaA, eDonkey2000, Bearshare, Morpheus, and Grokster. It also attempts to spread itself through ICQ and mIRC.

This threat is written in the Borland Delphi programming language.


Protection

  • Virus Definitions (LiveUpdate™ Weekly) October 1, 2003
  • Virus Definitions (Intelligent Updater) September 26, 2003

TECHNICAL DETAILS


When W32.HLLW.Razac@mm runs, it does the following:
  1. Copies itself as the following files:
    • C:11 De Abril un dia de Luto.pif
    • C:WindowsSystem11_de_abril.pif
    • C:Program FilesKaZaAMy Shared FolderEl Mejor Sexo.pif
    • C:Program FilesKaZaAMy Shared FolderKaZaA Antivirus Era 2003.exe
    • C:Program FilesKaZaAMy Shared FolderUnTouChabLeS KoRn.scr
    • C:Program FilesKaZaAMy Shared FolderKaZaA Morpheus.exe
    • C:Program FilesKaZaAMy Shared FolderEl Mejor Sexo.pif
    • C:Program FilesKaZaAMy Shared FolderKaZaA Antivirus Era 2003.exe
    • C:Program FilesKaZaAMy Shared FolderUnTouChabLeS KoRn.scr
    • C:Program FilesKaZaAMy Shared FolderKaZaA Morpheus.exe
    • C:Program FilesKaZaAMy Shared FolderDeftones Live in concert.scr
    • C:Program FilesKaZaAMy Shared FolderXbox Emulator V2.1.exe
    • C:Program FilesKaZaAMy Shared FolderPlay2 All Tricks BoX.pif
    • C:Program FilesKaZaAMy Shared FolderGatorade Screen Saver.scr
    • C:Program FilesKaZaAMy Shared FolderTHE EMINEM SHOW.pif
    • C:Program FilesICQshared filesICQ Messenger.exe
    • C:Program FilesICQshared filesICQ MSN Compacter.exe
    • C:Program FilesICQshared filesICQ AntiVirus Era 2003
    • C:Program FilesICQshared filesICQ Black Ice Screen.scr
    • C:Program FilesICQshared filesICQ SMS Sender.exe
    • C:Program FilesICQshared filesICQ Screen Saver.scr
    • C:Program FilesICQshared filesICQ Millenium Skin.pif
    • C:Program FilesEdonkey2000IncomingEdonkey2000_mega games pack.exe
    • C:Program FilesEdonkey2000IncomingEdonkey Screen Saver.scr
    • C:Program FilesEdonkey2000IncomingEdonkey2003 Expansion.exe
    • C:Program FilesEdonkey2000IncomingYo!.pif
    • C:Program FilesEdonkey2000IncomingEdonkey2000_mega games pack 2.exe
    • C:Program FilesEdonkey2000IncomingEdonkey2000_mega games pack 3.exe
    • C:Program FilesEdonkey2000IncomingEdonkey2000_mega games pack 4.exe
    • C:Program FilesBearshareSharedBearshare antivirus 2002.exe
    • C:Program FilesBearshareSharedBearshare antivirus 2003.exe
    • C:Program FilesBearshareSharedBearshare Virtual Machine 2.1.exe
    • C:Program FilesBearshareSharedBearshare eXtreMe Edition.exe
    • C:Program FilesBearshareSharedBearshare IcE Edition.exe
    • C:Program FilesBearshareSharedBearshare antivirus 2001.exe
    • C:Program FilesMorpheusMy Shared FolderNew Limp Bizkit Album--Biscuit Street.pif
    • C:Program FilesMorpheusMy Shared FolderMorpheus AntiVirus Era 2002.exe
    • C:Program FilesMorpheusMy Shared FolderUntoUcHaBlEs KorN.pif
    • C:Program FilesMorpheusMy Shared FolderPink.pif
    • C:Program FilesMorpheusMy Shared FolderPuddle Of Mudd New Video.scr
    • C:Program FilesMorpheusMy Shared FolderVenezuela - Morpheus.scr
    • C:Program FilesMorpheusMy Shared FolderNew Morpheus Edition 2003.exe
    • C:Program FilesGroksterMy GroksterGrokster Music CD 2002.pif
    • C:Program FilesGroksterMy GroksterGrokster - KaZaA.exe
    • C:Program FilesGroksterMy GroksterGrokster AntiVirus Era 2002.exe
    • C:Program FilesGroksterMy GroksterGrokster Music CD 2003.pif
    • C:Program FilesGroksterMy GroksterGrokster Pictures.pif

  2. Overwrites the System.ini file if the operating system is Windows 95/98/Me.

  3. Terminates all the active processes.

  4. Displays the message "Enter Network Password."

  5. Creates the file, C:WindowsSystemAutoexec.bat.bat (292 bytes), which displays some text when run.

  6. Creates a file, C:WindowsSystemWinvbsAdapter.vbs (1,105 bytes). The worm uses this file to download a GIF file from a predefined Web site and displays some windows that contain different text.

  7. Creates the file, C:WindowSystem32VisualBasicLibrary.dll.vbs, and then runs it. This file is 2,139 bytes in length.

    When C:WindowSystem32VisualBasicLibrary.dll.vbs runs, it does the following:
    1. Uses Microsoft Outlook to send the worm to all the contacts in the Outlook Address Book. The email has the following characteristics:

      Subject: !!!!Hoy es 11!!!!!
      Message: Hoy es 11!!!!! el 11 de abril del 2002 murieron miles de personas mira esto!!!
      Attachment: C:11 De Abril un dia de Luto.pif

    2. Overwrites the Script.ini file in one of the following folders:
      • C:Program Filesmirc32
      • C:Program Filesmirc
      • C:mirc32
      • C:mirc

        The worm uses this mIRC script file to send "C:11 De Abril un dia de Luto.pif" to other mIRC users, who are connecting to the same channel.

    3. Adds the registry key:

      HKEY_CURRENT_USERSoftware11_send

      The worm uses this registry key as the infection marker.

  8. Deletes the following files, if any exist:
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvp_io.vxd
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvp_io32.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvp_iont.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvpBase.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalavpg.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAVPInst.exe
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvpM.exe
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAVPMain.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalavpmc_loc.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvpMCfg.klr
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvpMSrv.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvpMUI.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalavpscrch.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalavpscrch.txt
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalavrescue.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAVRescue.exe
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalavrescue.HLP
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAbootdisk.img
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalccloc.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalconcl.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personaldinfo.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personaleicar.html
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalexecloc.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalFinish.wav
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalInfected.wav
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalinst_loc.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalInstCfg.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personallicense.txt
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personallocscrch.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalMemModSc.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalMemScan.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalObjProc.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalPrHeap.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalPrKernel.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalprloader.npl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalPrString.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalPrUtil.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalReadme MailChecker.txt
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalTEMPFILE.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAVP MAILCHECKER.HLP
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAVP MailChecker.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAVP MAILCHECKER.CNT
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvp32UI.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvp32Srv.dll
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalAvp3.ppl
    • C:Program FilesKaspersky LabKaspersky Anti-Virus Personalavpmc.ico
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalPolicyPolicy.dat
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalReportavp32.rpt
    • C:Program FilesKaspersky LabKaspersky Anti-Virus PersonalReportavpm.rpt
    • C:Program FilesPeravPERVAC.VXD
    • C:Program FilesPeravDOWNLOAD.EXE
    • C:Program FilesPeravDUNZIP32.DLL
    • C:Program FilesPeravDZIP32.DLL
    • C:Program FilesPeravgeneral.reg
    • C:Program FilesPeravINSTALAR.BIN
    • C:Program FilesPeravINSTALAR.DAT
    • C:Program FilesPeravINSTALAR.EXE
    • C:Program FilesPeravLEEME.DOC
    • C:Program FilesPeravPAV.DLL
    • C:Program FilesPeravPAV.EXE
    • C:Program FilesPeravpav.ini
    • C:Program FilesPeravPAVDECOD.DLL
    • C:Program FilesPeravPAVMAIL.EXE
    • C:Program FilesPeravPER.DAT
    • C:Program FilesPeravPER.DLL
    • C:Program FilesPeravPER.EXE
    • C:Program FilesPeravPERAV.HLP
    • C:Program FilesPeravPERD.EXE
    • C:Program FilesPeravPERIOEX.DLL
    • C:Program FilesPeravPERIOW95.DLL
    • C:Program FilesPeravPERIOWNT.DLL
    • C:Program FilesPeravPERSHELL.DLL
    • C:Program FilesPeravPERSHLEX.DLL
    • C:Program FilesPeravPERTSK.EXE
    • C:Program FilesPeravpertsk.ini
    • C:Program FilesPeravperupd.log
    • C:Program FilesPeravPERVAC.EXE.EXE
    • C:Program FilesPeravPERVACD.DAT
    • C:Program FilesPeravPERVACD.EXE
    • C:Program FilesPeravPOPEMAIL.DLL
    • C:Program FilesPeravSCANMEM.EXE
    • C:Program FilesPeravSPLASH.DLL
    • C:Program FilesPeravTSKWIZAR.EXE
    • C:Program FilesPeravWEBCTRL.DLL
    • C:Program FilesTrend MicroPC-cillin 2002pc-cillin.ini
    • C:Program FilesTrend MicroPC-cillin 2002GENKEY32.DLL
    • C:Program FilesTrend MicroPC-cillin 2002JavaHook.dll
    • C:Program FilesTrend MicroPC-cillin 2002LastScan.ini
    • C:Program FilesTrend MicroPC-cillin 2002LOADHTTP.DLL
    • C:Program FilesTrend MicroPC-cillin 2002lpt$vpn.222
    • C:Program FilesTrend MicroPC-cillin 2002Patch.exe
    • C:Program FilesTrend MicroPC-cillin 2002PATCHW32.DLL
    • C:Program FilesTrend MicroPC-cillin 2002PCC_PFW.dll
    • C:Program FilesTrend MicroPC-cillin 2002PCCFWAPI.dll
    • C:Program FilesTrend MicroPC-cillin 2002pc-cillin9.chm
    • C:Program FilesTrend MicroPC-cillin 2002pccmain.exe
    • C:Program FilesTrend MicroPC-cillin 2002pccntsec.dll
    • C:Program FilesTrend MicroPC-cillin 2002pccpfw.cfg
    • C:Program FilesTrend MicroPC-cillin 2002PCCSet.exe
    • C:Program FilesTrend MicroPC-cillin 2002PCCWins8.dll
    • C:Program FilesTrend MicroPC-cillin 2002PEWNT2.dll
    • C:Program FilesTrend MicroPC-cillin 2002pfwtroj.ptn
    • C:Program FilesTrend MicroPC-cillin 2002Pop3trap.exe
    • C:Program FilesTrend MicroPC-cillin 2002POP3Util.dll
    • C:Program FilesTrend MicroPC-cillin 2002POP3256.bmp
    • C:Program FilesTrend MicroPC-cillin 2002PWD.DLL
    • C:Program FilesTrend MicroPC-cillin 2002Readme.txt
    • C:Program FilesTrend MicroPC-cillin 2002system.dat
    • C:Program FilesTrend MicroPC-cillin 2002 mdbg20.dll
    • C:Program FilesTrend MicroPC-cillin 2002 mdbg.dll
    • C:Program FilesTrend MicroPC-cillin 2002Tmdshell.dll
    • C:Program FilesTrend MicroPC-cillin 2002TMEVENT.dll
    • C:Program FilesTrend MicroPC-cillin 2002TmUpdate.dll
    • C:Program FilesTrend MicroPC-cillin 2002TmUpdate.ini
    • C:Program FilesTrend MicroPC-cillin 2002 mupdito.exe
    • C:Program FilesTrend MicroPC-cillin 2002TRA.EXE
    • C:Program FilesTrend MicroPC-cillin 2002TraApi.dll
    • C:Program FilesTrend MicroPC-cillin 2002TRIALMSG.exe
    • C:Program FilesTrend MicroPC-cillin 2002TSC.EXE
    • C:Program FilesTrend MicroPC-cillin 2002TSC.INI
    • C:Program FilesTrend MicroPC-cillin 2002TSC.LOG
    • C:Program FilesTrend MicroPC-cillin 2002UNZIP.DLL
    • C:Program FilesTrend MicroPC-cillin 2002Upd4CE.exe
    • C:Program FilesTrend MicroPC-cillin 2002Upd4Epoc.exe
    • C:Program FilesTrend MicroPC-cillin 2002UpdPcc.ini
    • C:Program FilesTrend MicroPC-cillin 2002Urlfilt.msg
    • C:Program FilesTrend MicroPC-cillin 2002VBProp.dll
    • C:Program FilesTrend MicroPC-cillin 2002VDoctor.dll
    • C:Program FilesTrend MicroPC-cillin 2002WBTRP256.BMP
    • C:Program FilesTrend MicroPC-cillin 2002WebTrap.exe
    • C:Program FilesTrend MicroPC-cillin 2002Lib.dll
    • C:Archivos de programaSymantecSYMEVENT.SYS
    • C:Archivos de programaSymantecS32EVNT1.DLL
    • C:Archivos de programaSymantecS32STAT.DLL
    • C:Archivos de programaSymantecSYMEVNT1.DLL
    • C:Archivos de programaSymantecSYMEVNT.386
    • C:Archivos de programaSymantecLiveUpdateAUPDATE.EXE
    • C:Archivos de programaSymantecLiveUpdateNDETECT.EXE
    • C:Archivos de programaSymantecLiveUpdateNetDetectController.DLL
    • C:Archivos de programaSymantecLiveUpdateProductRegCom.DLL
    • C:Archivos de programaSymantecLiveUpdateS32LIVE1.dll
    • C:Archivos de programaNorton AntiVirusNAVP.VXD
    • C:Archivos de programaNorton AntiVirus\_ISNAV95.ULG
    • C:Archivos de programaNorton AntiVirusABOUTPLG.DLL
    • C:Archivos de programaNorton AntiVirusaboutsw.dll
    • C:Archivos de programaNorton AntiVirusAlertUI.DLL
    • C:Archivos de programaNorton AntiVirusapwcmd.dll
    • C:Archivos de programaNorton AntiVirusapwutil.dll
    • C:Archivos de programaNorton AntiVirusBackLog.exe
    • C:Archivos de programaNorton AntiVirusBootWarn.exe
    • C:Archivos de programaNorton AntiViruschan32I.dll
    • C:Archivos de programaNorton AntiVirusdec2.dll
    • C:Archivos de programaNorton AntiVirusdec2amg.dll
    • C:Archivos de programaNorton AntiVirusdec2arj.dll
    • C:Archivos de programaNorton AntiVirusdec2cab.dll
    • C:Archivos de programaNorton AntiVirusDec2EXE.dll
    • C:Archivos de programaNorton AntiVirusdec2mime.dll
    • C:Archivos de programaNorton AntiVirusdec2zip.dll
    • C:Archivos de programaNorton AntiVirusDefAlert.exe
    • C:Archivos de programaNorton AntiVirusDefannrs.dll
    • C:Archivos de programaNorton AntiVirusEmailRes.dll
    • C:Archivos de programaNorton AntiVirusfslink.dll
    • C:Archivos de programaNorton AntiVirusLiteScan.dll
    • C:Archivos de programaNorton AntiVirusLiveMail.ico
    • C:Archivos de programaNorton AntiVirusLOGO_OFF.REG
    • C:Archivos de programaNorton AntiVirusLOGO_ON.REG
    • C:Archivos de programaNorton AntiVirusmigapp.exe
    • C:Archivos de programaNorton AntiVirusN32ALERT.DLL
    • C:Archivos de programaNorton AntiVirus 32call.dll
    • C:Archivos de programaNorton AntiVirus 32secur.dll
    • C:Archivos de programaNorton AntiVirusN32SERVE.DLL
    • C:Archivos de programaNorton AntiVirusN32WORK.DLL
    • C:Archivos de programaNorton AntiVirus 32zip.dll
    • C:Archivos de programaNorton AntiVirus avap32.dll
    • C:Archivos de programaNorton AntiVirusNAVDX.EXE
    • C:Archivos de programaNorton AntiVirusNAVIns95.dll
    • C:Archivos de programaNorton AntiVirusNavRPC.dll
    • C:Archivos de programaNorton AntiVirus avshell.dll
    • C:Archivos de programaNorton AntiVirusNRunOnce.exe
    • C:Archivos de programaNorton AntiVirusNTaskMgr.exe
    • C:Archivos de programaNorton AntiVirus vlaunch.exe
    • C:Archivos de programaNorton AntiVirusOfficeAV.dll
    • C:Archivos de programaNorton AntiVirusPopExam.dll
    • C:Archivos de programaNorton AntiVirusPOProxy.exe
    • C:Archivos de programaNorton AntiVirusqconres.dll
    • C:Archivos de programaNorton AntiVirusqconsole.cnt
    • C:Archivos de programaNorton AntiVirusqconsole.exe
    • C:Archivos de programaNorton AntiVirusScnHndlr.exe
    • C:Archivos de programaNorton AntiVirusSDSOK32I.DLL
    • C:Archivos de programaNorton AntiVirusundoboot.exe
    • C:Archivos de programaNorton AntiVirusV32SCAN.DLL
    • C:Archivos de programaNorton AntiVirusVirScan6.ini
    • C:Program Filesone LabsoneAlarmzonealarm.exe
    • C:Program Filesone LabsoneAlarmprograms.zap
    • C:Program Filesone LabsoneAlarmprivacy.zap
    • C:Program Filesone LabsoneAlarmalert.zap
    • C:Program Filesone LabsoneAlarmfirewall.zap
    • C:Program Filesone LabsoneAlarmemail.zap
    • C:Program Filesone LabsoneAlarmsecurity.zap
    • C:Program Filesone LabsoneAlarmframewrk.dll
    • C:Program Filesone LabsoneAlarm utorwiz.dll
    • C:Program Filesone LabsoneAlarmHelpAP30.chm
    • C:Program FilesTiny Personal FirewallAgentRes.dll
    • C:Program FilesTiny Personal FirewallAgentw.exe
    • C:Program FilesTiny Personal FirewallCacheDeleter.exe
    • C:Program FilesTiny Personal FirewallCacheDeleterRes.dll
    • C:Program FilesTiny Personal FirewallKrnguard.sys
    • C:Program FilesTiny Personal FirewallReminder.exe
    • C:Program FilesTiny Personal Firewallstdinst.rai
    • C:Program FilesTiny Personal Firewallstdinstres.dll
    • C:Program FilesTiny Personal Firewall uconf.exe
    • C:Program FilesTiny Personal Firewall uconfres.dll
    • C:Program FilesTiny Personal Firewallumxldrw.exe
    • C:Program FilesTiny Personal FirewallAdminToolHelp.chm
    • C:Program FilesTiny Personal FirewallAuditingstrings.js
    • C:Program FilesTiny Personal FirewallAuditinglog.htm
    • C:Program FilesTiny Personal FirewallAuditingall.xls
    • C:Program FilesTiny Personal FirewallAuditingfilelist.xml
    • C:Program FilesTiny Personal FirewallAuditingloglog 08_02_02_0.xml



Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Run a full system scan and delete all the files detected as W32.HLLW.Razac@mm. Manually delete the file, C:WindowsSystemAutoexec.bat.bat.
  4. Delete the value that was added to the registry.
  5. Restore the overwritten files, System.ini and Script.ini, from known clean copies. Restore the files that the worm deleted from known clean copies.
For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.HLLW.Razac@mm, click Delete.
  4. Using Windows Explorer, delete the file, C:WindowsSystemAutoexec.bat.bat.

4. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to and delete the key:

    HKEY_CURRENT_USERSoftware11_send
  4. Exit the Registry Editor.

5. Restoring the files
  • If you are running Windows 95.98/Me, restore the overwritten System.ini from a clean backup copy.
  • If you are using mIRC, restore Script.ini from a clean backup copy.



Spy Sweeper 5.2 stops spyware in its tracks while offering home computer users the ability to configure the program to suit their specific needs, such as:

Choose a Quick, Full or Custom Sweep: With Spy Sweeper 5.2, you can easily choose to perform a quick, full or customized sweep. If you're looking for an immediate diagnosis, choose a quick sweep. For a pinpointed search, customize your sweep to have Spy Sweeper skip files by folder or file extension. For a deep cleaning, opt for a full sweep.

Exclude Files from a Sweep: Spy Sweeper allows you to save time during a sweep by skipping specific files or different sections of your PC. You can select specific file extension, such as .xls or .mpg to exclude.

Additional Highlights

As soon as it's installed, Spy Sweeper gives 360 degrees of protection against spyware, including:

Simple Sweeps: Detecting spyware and removing unwanted programs found on your computer in three effortless steps

Easy Management: Quickly and simply configure program, sweep and upgrade options

Fast Home: Use the home screen to access the most commonly used functions of Spy Sweeper

Shields Summary: A redesigned shields summary page makes it simple to see at a glance which shields are on or off

Action Alerts: Receive clear, easy-to-understand notifications when new spyware threats are detected

"Spy Sweeper remains a favorite for protection from spyware."



"This program's dominance is apparent as soon as you install it."