Win32/Helompy is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or services, including Facebook and Gmail. The worm contacts a remote host to download arbitrary files and to upload stolen details.
Installation
When run under the administrator account, Win32/Helompy drops a copy of the worm in any of the following file folders:
- c:\win
- %windir%\cidd_p
- d:\programs
- %TEMP%\<eight character alphanumeric string>_Rar\ (such as '%TEMP%\000335A7_Rar\')
In the wild, this worm was observed executing as one of the following file names, with 'hidden', 'system' and 'read-only' file attributes:
- lsass.exe
- configuration.exe
When run under an account with limited privileges, the worm copies itself to the Windows startup folder as a file named "desktop.exe".
The worm uses a file folder icon as a trick, and if double-clicked to open by the affected user, it creates a folder and opens the folder using a new instance of Explorer. This behavior was observed in testing and is illustrated below, with a test sample named "Helompy-gen.exe":
The registry is modified to run the worm copy, as in the following example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "run32"
With data: "<path and file name of the worm copy>" (e.g. "c:\win\lsass.exe")
Spreads via...
Removable drives
The worm copies itself to the root of all removable drives using the name of the target drive, and with file attributes of 'hidden', 'system' and 'read-only'. The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Captures log on credentials
Win32/Helompy creates a data file, used to store captured data, in the first fixed drive with free space as the following:
- c:\DebugDLL\CatRoot\dll\systems.dll
To maximize capturing of user account log on credentials, the worm may disable the auto-complete setting for Internet Explorer by modifying registry data.
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Use FormSuggest"
With data: "no"
The worm then monitors application windows and records keystrokes when any of the following strings or keywords are found in the application window title:
- alas.matf.bg.ac.yu
- bank
- Connect to Remote Host
- Gmail: Email from Google
- Login
- my.EUnet.rs
- Password
- PayPal
- Sign
- Welcome to Facebook! | Facebook
- Yahoo! Mail: The best web-based email!
The worm uses HTTP to send captured data to a remote server, using a server-side script.
Downloads files
Some variants of Win32/Helompy attempt to download updated versions of the worm from remote servers.
Analysis by Daniel Radu
