Win32/Helompy
Posted: December 14, 2011
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 5/10 |
|---|---|
| Infected PCs: | 3,586 |
| First Seen: | December 14, 2011 |
|---|---|
| Last Seen: | August 24, 2021 |
| OS(es) Affected: | Windows |
Win32/Helompy has been discovered and diagnosed as a self-replicating worm that propagates by infecting different kinds of removable drives.
Worms, like Win32/Helompy, are renowned for their ability to spread their fear-inducing viruses from one computer to another without receiving any brand of human help whatsoever and Win32/Helompy is no exception to this rule. Without any form of human intervention, this threat is able to spread and distribute its malware-laced computer infection by copying itself to the root of removable drives.
The Win32/Helompy Payload
The primary reason for Win32/Helompy's malicious creation and existence is that Win32/Helompy actively works to log and steal various kinds of authentication details (e.g. user names and passwords) that correspond to a variety of commonly used websites, such as Gmail accounts and Facebook pages. Win32/Helompy attempts to log and steal these kinds of personal information by connecting to a remote server/host, using keylogging-type activities to capture the targeted information and then uploading the captured, stolen data and information to the remote server.
This is Win32/Helompy's ultimate payload because once the stolen information has been uploaded to the remote server, it is there for this security threat's malicious creators to access and do whatever they will with.
This privacy invasive-type of behavior means that Win32/Helompy poses a serious data security risk to any and all computer systems that this malicious Worm is able to infect successfully. Special attention should be paid to removing this malicious computer security violation from any computers that have been affected by Win32/Helompy's dangerous presence.
If you have spotted this malicious security threat lurking somewhere on your system, it is very important that you immediately work to remove this threat from your computer system. Procure a complex malware removal solution to annihilate Win32/Helompy from your vulnerable system before Win32/Helompy has had the chance to harm your machine permanently.
Specifics on Win32/Helompy's Data Capturing Behavior
To allow for the maximum data capturing capacity, Win32/Helompy may attempt to alter various bits of registry data, which will enable the threat to disable an infected system's 'auto-complete' Internet Explorer Settings. The following information shows this specific registry modification:
In the registry subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Changes the value, setting it at: 'Use FormSuggest'
With data: 'no'
Once disabling these Internet Explorer settings, Win32/Helompy automatically begins to monitor various application windows and logging data by utilizing the malicious practice of keystroke recording. Reports show that Win32/Helompy particularly targets and monitors Windows applications that contain any of the following keywords and strings in their title:
- Welcome to Facebook! | Facebook
- Gmail: Email from Google
- PayPal
- Yahoo! Mail: The best web-based email!
- bank
- Sign
- Login
- Password
- Connect to Remote Host
- alas.matf.bg.ac.yu
- my.EUnet.rs
Lastly, after capturing data, Win32/Helompy steals the data by utilizing HTTP and employing a server-side script to forward the stolen information to a remote server.
Other Notable Details of Win32/Helompy
Upon installation, Win32/Helompy remains hidden on the compromised systems and constantly runs in the background.
When this malicious threat is running in the background of an infected system's administrator user account, this worm seeks to drop copies of its infection into the following system locations:
- d:/programs
- c:/win
- %windir%/cidd_p
- %TEMP%\_Rar\
o example: %TEMP%\000335A7_Rar
Additionally, in the wild, Win32/Helompy was discovered functioning and hiding as one of the two file names: configuration.exe and Isass.exe. Note that, regardless of which of these two particular file names Win32/Helompy may be executing its infection under, both are marked by the file attributes: 'read only,' 'hidden,' and 'system.'
This provided information applies, specifically, to Win32/Helompy infections that have gained access to a compromised system's administrator-level account successfully, thus can take advantage of the administrator privileges that this success allows them. Some of the details provided may differ if this threat can only access a user account successfully with limited privileges.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:C:\Win\lsass.exe
File name: lsass.exeSize: 551.66 KB (551669 bytes)
MD5: 292984f7d3e7347dd83b5e7bbbf74d3d
Detection count: 1,007
File type: Executable File
Mime Type: unknown/exe
Path: C:\Win\lsass.exe
Group: Malware file
Last Updated: July 5, 2023
C:\Win\lsass.exe
File name: lsass.exeSize: 552.44 KB (552448 bytes)
MD5: 1d7860e6bb87015ed1fb842f6f9bd350
Detection count: 410
File type: Executable File
Mime Type: unknown/exe
Path: C:\Win\lsass.exe
Group: Malware file
Last Updated: September 19, 2023
%SystemDrive%\Win\lsass.exe
File name: lsass.exeSize: 809.98 KB (809984 bytes)
MD5: d7d8fdcc7252a2add13e577402e0742c
Detection count: 389
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Win
Group: Malware file
Last Updated: April 6, 2020
C:\Win\lsass.exe
File name: lsass.exeSize: 654.33 KB (654336 bytes)
MD5: b1b2cf681662d37e808345a904bdd20e
Detection count: 227
File type: Executable File
Mime Type: unknown/exe
Path: C:\Win
Group: Malware file
Last Updated: August 6, 2016
C:\Win\lsass.exe
File name: lsass.exeSize: 559.1 KB (559104 bytes)
MD5: 41046278395746b075801bacac168a6b
Detection count: 222
File type: Executable File
Mime Type: unknown/exe
Path: C:\Win
Group: Malware file
Last Updated: August 6, 2016
c:\Win\lsass.exe
File name: lsass.exeSize: 654.84 KB (654848 bytes)
MD5: f27a8e3559b07e927fec74f8ccb225ab
Detection count: 187
File type: Executable File
Mime Type: unknown/exe
Path: c:\Win\lsass.exe
Group: Malware file
Last Updated: May 2, 2022
%SystemDrive%\Win\lsass.exe
File name: lsass.exeSize: 654.33 KB (654336 bytes)
MD5: fe7b2805aefc92f49a79db6b0948a7d7
Detection count: 176
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Win
Group: Malware file
Last Updated: August 6, 2016
file.zip
File name: file.zipSize: 483.4 KB (483403 bytes)
MD5: 907568045e17dea5d11a20a279a241c6
Detection count: 56
Mime Type: unknown/zip
Group: Malware file
Last Updated: December 15, 2011
my music.exe
File name: my music.exeSize: 602.73 KB (602738 bytes)
MD5: 98fd894ea9904174b4827544714b66e6
Detection count: 53
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 15, 2011
pms.exe
File name: pms.exeSize: 687.77 KB (687776 bytes)
MD5: 59d54c2871cf9799c8dcb6d05b94925c
Detection count: 52
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 15, 2011
file.exe
File name: file.exeSize: 644.6 KB (644608 bytes)
MD5: 3512cc2170cb31ce188306bc8e322425
Detection count: 51
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 15, 2011
file.exe
File name: file.exeSize: 750.59 KB (750592 bytes)
MD5: 16e04752872ea4983b71eae84da06c13
Detection count: 50
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 15, 2011
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.