is a worm that spreads via removable drives and attempts to capture and steal authentication details for a number of different websites or services, including Facebook and Gmail. The worm contacts a remote host to download arbitrary files and to upload stolen details.
When run under the administrator account, Win32/Helompy drops a copy of the worm in any of the following file folders:
eight character alphanumeric string>_Rar\ (such as '%TEMP%\000335A7_Rar\')
In the wild, this worm was observed executing as one of the following file names, with 'hidden', 'system' and 'read-only' file attributes:
When run under an account with limited privileges, the worm copies itself to the Windows startup folder as a file named "desktop.exe".
The worm uses a file folder icon as a trick, and if double-clicked to open by the affected user, it creates a folder and opens the folder using a new instance of Explorer. This behavior was observed in testing and is illustrated below, with a test sample named "Helompy-gen.exe":
The registry is modified to run the worm copy, as in the following example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "run32"
With data: "<path and file name of the worm copy>" (e.g. "c:\win\lsass.exe")
The worm copies itself to the root of all removable drives using the name of the target drive, and with file attributes of 'hidden', 'system' and 'read-only'. The worm then writes an Autorun configuration file named "autorun.inf" pointing to the worm copy. When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Captures log on credentials
creates a data file, used to store captured data, in the first fixed drive with free space as the following:
To maximize capturing of user account log on credentials, the worm may disable the auto-complete setting for Internet Explorer by modifying registry data.
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Use FormSuggest"
With data: "no"
The worm then monitors application windows and records keystrokes when any of the following strings or keywords are found in the application window title:
Connect to Remote Host
Gmail: Email from Google
Welcome to Facebook! | Facebook
Yahoo! Mail: The best web-based email!
The worm uses HTTP to send captured data to a remote server, using a server-side script.
Some variants of Win32/Helompy attempt to download updated versions of the worm from remote servers.
Analysis by Daniel Radu