New worm Win32.HLLW.Cicar steals passwords and masquerades as spicy pics

September 21, 2006

Virus Monitoring service of Doctor Web, Ltd. informs on a new virus labeled by Dr.Web as Win32.HLLW.Cicar. A virus disseminates in mail messages written in Spanish with the subject Video de Daniela Cicarello trazando. The infected message contains a link and a user is asked to click the link and download new clip of some Daniela Cicarelli. The file offered for download is called cicarelli-17022006.mpg.exe (227 840 bytes) and has an icon of Windows Media Player.

Technical description

- Being run by a careless user Win32.HLLW.Cicar copies itself to C:\Windows as smss.exe and registers itself in the following system registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"cicarelli – 1702006.mpg"=C:\Windows\smss.exe.

- It downloads file msn.jpg (807 936 bytes, detected by Dr.Web as Trojan.PWS.Banker.5094) which is a Trojan program stealing passwords to banking systems.

- It send via MSN messages in Spanish with the link to its parent website.

Doctor Web, Ltd. calls all users to be attentive and never open messages received from unknown addresses. If your computer was infected with Win32.HLLW.Cicar, it is recommended to disconnect the computer from local network and\or Internet and scan it with Dr.Web. You can also check your computer for free and cure it, if necessary, with free curing utility — Dr.Web CureIt!.

More details and free services by Doctor Web, Ltd. at www.freedrweb.com.

ATTENTION! It is strongly recommended to change passwords to banking systems stored in your computer.

2008-05-13	April 2008 virus activity review from Doctor Web, Ltd.
2008-05-13	Twenty five thousand subscribers of Eltel get protection by Dr.Web AV-Desk™
2008-05-07	Dr.Web AV-Desk shields four hundred educational institutions of the Russian university network RUNNet
2008-05-06	New version of Dr.Web anti-virus scanner for Windows released
2008-05-06	Win32.Ntldrbot (aka Rustock.C) no longer a myth, no longer a threat. New Dr.Web scanner detects and cures it for real
2008-05-05	Another 17 Russian cities get anti-virus as a service with Dr.Web AV-Desk
2008-05-04	Protection against viruses and spam from Doctor Web, Ltd. and Sun Microsystems thoroughly tested
2008-05-04	Another Russian ISP launches Dr.Web AV-Desk
2008-05-02	Doctor Web – Central Asia Kazakhstan market summary 2007
2008-05-02	Doctor Web came to China at the eve of Olympics
2008-04-08	PC Magazine Russia: Dr.Web AV-Desk – the best product-as-a-service of 2007
2008-04-07	Dr.Web for IBM Lotus Domino – a new product by Doctor Web, Ltd. protecting application servers of enterprises and corporations
2008-04-03	Updated Dr.Web Shell Extension library released
2008-04-03	Dr.Web for Unix Mail servers and Dr.Web Mail Gateway have been updated to version 4.44.1
2008-04-02	March 2008 virus activity review from Doctor Web, Ltd.
2008-04-01	Updated version of Dr.Web Enterprise Suite 4.44.2 released
2008-04-01	Dr.Web scanner vanquishes BackDoor.MaosBoot once again
2008-04-01	Updated modules of Dr.Web anti-virus for Windows workstations released