Troj/HlpDrp-B

Posted: September 11, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	9/10
Infected PCs:	133

First Seen:	September 11, 2012
Last Seen:	October 26, 2022
OS(es) Affected:	Windows

Troj/HlpDrp-B is a Trojan dropper that uses the unusual disguise of a Windows Help File to make itself seem harmless to your computer. Opening this supposed 'help' file will result in a fairly nondescript error message, but SpywareRemove.com malware analysts have found that Troj/HlpDrp-B includes a hidden payload: a second Trojan (Troj/DarkDrp-A) that installs a spyware component from the Darkshell Trojan. Current attacks for Troj/HlpDrp-B appear to focus on Europe, particularly Italy, although other countries also may be in danger of Troj/HlpDrp-B-related spyware attacks. As usual, SpywareRemove.com malware researchers recommend scanning any suspicious files with anti-malware products before you open anything you can't identify as coming from a trusted source – since file types are only becoming even more useless than usual for determining whether a file is safe or unsafe.

Troj/HlpDrp-B: the Help File That Wants to Do Anything But Help You

Troj/HlpDrp-B is a genuine, albeit malicious WinHelp file that uses the HLP extension. This file format was discontinued as of Windows Vista, which makes older versions of Windows more vulnerable to Troj/HlpDrp-B attacks than newer ones – although SpywareRemove.com malware researchers note that many newer Windows OSes may still be able to launch Troj/HlpDrp-B and be subjected to its harmful content. However, the criminals behind Troj/HlpDrp-B haven't taken the trouble to create legitimate help file-related content for Troj/HlpDrp-B, which causes a basic 'could not read' error if you attempt to open it.

Many victims of Troj/HlpDrp-B attacks will assume that Troj/HlpDrp-B is dysfunctional or corrupted in some way, and will think that this error message is the end of the matter. Rather than being the end, this error message is just the beginning, as Troj/HlpDrp-B loads a second Trojan (a fake Windows Security Center.exe, identified as Troj/DarkDrp-A). This second Trojan then launches a keylogger that's detected as Troj/Agent-OVJ. SpywareRemove.com malware experts accentuate that all of this occurs in the background without any visible symptoms.

The Cost of Asking for a Little Help from Troj/HlpDrp-B

Troj/HlpDrp-B's role in this anti-helping ordeal may be over once Troj/HlpDrp-B is dropped and launched its associated Trojan, but, sadly, that's not the end of the story. The keylogger Troj/Agent-OVJ will record all typed keyboard input into a separate file, which is sent to criminals so that they can exploit any revealed passwords, login names, e-mail addresses and other personal information. In the process of putting your computer in jeopardy; in other ways – or even grant near-complete control of the system over to criminals through a Command & Control (C&C) server.

While Troj/HlpDrp-B must be launched before any of this can begin, other types of PC threats may be instructed to launch Troj/HlpDrp-B automatically, and, other than its rather generic error pop-up, there aren't any significant signs of Troj/HlpDrp-B's installation of Troj/DarkDrp-A and Troj/Agent-OVJ. Having a good anti-malware program is still your best bet of detecting Troj/HlpDrp-B before Troj/HlpDrp-B can initiate any information-stealing attacks, although Troj/HlpDrp-B was only detected in late August, and SpywareRemove.com malware researchers recommend keeping all anti-malware databases updated for accurate identification of Troj/HlpDrp-B.

Troj/HlpDrp-B and related PC threats use misleading file names, including the names of system components, to disguise themselves, and you should use the same anti-malware programs to delete Troj/HlpDrp-B and its payload instead of trying to detect the infection manually. Variants of Troj/HlpDrp-B may be detected by the heuristic label of Mal/HlpDrop-A.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

Amministrazione.rar

File name: Amministrazione.rar
Size: 64.58 KB (64580 bytes)
MD5: bc045fd0478d3a26054bea6a70919b2d
Detection count: 44
Mime Type: unknown/rar
Group: Malware file
Last Updated: September 12, 2012

Amministrazione.hlp

File name: Amministrazione.hlp
Size: 81.04 KB (81046 bytes)
MD5: ff05577e9f26181bce7bceb9defb5534
Detection count: 43
Mime Type: unknown/hlp
Group: Malware file
Last Updated: September 12, 2012

Windows Security Center.exe

File name: Windows Security Center.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

RECYCLER.DLL

File name: RECYCLER.DLL
File type: Dynamic link library
Mime Type: unknown/DLL
Group: Malware file

\Documents and Settings\username\Local Settings\Application Data\UserData.dat

File name: \Documents and Settings\username\Local Settings\Application Data\UserData.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file

Additional Information

The following messages's were detected:

#	Message
1	Help could not read the current Help file. Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)