Aliases: W32/HLLP.Arcer, TR/Spy.Delf.LK.21
Variants: PE_ARCER.C, Trojan-Spy.Win32.Delf.lk

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 23 Nov 2007
Damage: Medium

Characteristics: This type of virus exhibits the usual characteristics of this group of malware which is to infect or corrupt executable files found in a compromised computer system. The W32.HLLP.Arcer was also designed by its malicious author with an added functionality which is to steal sensitive information from the infected machine similar to the actions of data thief Worms. This malware may open an unsecured backdoor to transmit the stolen information to the malicious author.

More details about W32.HLLP.Arcer

Execution of the W32.HLLP.Arcer will extract a pair of executable files into the directory folder of the operating system of the infected host machine. These executable files are used as the trigger files for the virus to run it different infection and propagation routines. A corresponding Windows Registry key value is created for the executable files. The Windows Registry key values allow the W32.HLLP.Arcer to load automatically on system startup or restart and also to execute its infection routine every an executable file is launched by the unsuspecting computer user. The W32.HLLP.Arcer normally infects an EXE format file by including its own codes at the beginning of the target file to corrupt the program entry point.

The data stealing routine implemented by the W32.HLLP.Arcer allows it to target specific information from the compromised computer system. Normally this malware will attempt to retrieve data regarding system information as well as passwords that are cached in the machine. There is a possibility that it may try to use some form of keystroke logging to steal information as they are typed by the computer user. The W32.HLLP.Arcer is designed to connect to a predetermined Web server to deliver its stolen information. The TCP port 25 is normally used for the transmission or to listen for additional instructions.