Virus.Win32.Hala

Detect Date 01/22/2010
Class Virus
Platform Win32
Description

Once launched, the virus writes its code to the “explorer.exe” address space. The infected process then searches for all files with an .exe extension and appends the virus code to all files found.

Folders with the names listed below will not be scanned for files:

QQ

Windows

WINNT

Local SettingsTemp

The files listed below will not be infected:

wooolcfg.exe

woool.exe

ztconfig.exe

patchupdate.exe

trojankiller.exe

xy2player.exe

flyff.exe

xy2.exe

au_unins_web.exe

cabal.exe

cabalmain9x.exe

cabalmain.exe

meteor.exe

patcher.exe

mjonline.exe

config.exe

zuonline.exe

userpic.exe

main.exe

dk2.exe

autoupdate.exe

dbfsupdate.exe

asktao.exe

sealspeed.exe

xlqy2.exe

game.exe

wb-service.exe

nbt-dragonraja2006.exe

dragonraja.exe

mhclient-connect.exe

hs.exe

mts.exe

gc.exe

zfs.exe

neuz.exe

maplestory.exe

nsstarter.exe

nmcosrv.exe

ca.exe

nmservice.exe

kartrider.exe

audition.exe

zhengtu.exe

The virus is also able to download other malicious programs to the victim machine; these are programs which are designed to steal online game passwords. In order to do this, the virus sends a request which contains the victim machine’s parameters to the following links (at the time of writing, these links were not active):

http://message.microsofte.in/counter.asp?action*****
http://imrw0rldwide.com/DL/counter.asp?action*****