The December 2011 edition of the MSRT includes detection and clean-up for the Win32/Helompy Family. Helompy is a worm that propagates by copying itself to the root of removable drives, and its main payload is to record account credentials and login information and send them to a remote server, where the attacker could retrieve them for use.

At its roots, Helompy is a compiled AutoIt script which we first encountered in the wild in 2009. Like most malware scripted with AutoIt, it presents itself in an innocent way by using the icon of a folder, thus tricking the user into thinking they are purely opening a folder when double-clicking it. Below is an example of the file icon used by Win32/Helompy:

Win32/Helompy file icon

To add more credibility, once you launch the malware, it creates a directory with the same name and opens the folder using a new instance of Explorer:

file folder created by Win32/Helompy

The worm creates a file folder and copies itself to that directory with 'hidden', 'system' and 'read-only' file attributes, to hide it from view. The new copy of the worm may be named "configuration.exe", "1.exe" or "lsass.exe", as you can see in the image below:



The registry is modified to run the worm copy when Windows starts, as illustrated below:



As a payload, the worm awaits login information to be entered for various websites or services:



The worm records all the pressed keystrokes and saves them in a file located usually as the following:

  • [drive]:\DebugDLL\CatRoot\dll\systems.dll where [drive] is C or D.

When the account information has been logged, it is sent to a remote server, using a server-side script:

  • <remote server>/cmd.php?command=[file name]

Although this worm isn't sophisticated, it managed to infect quite a number of computers. It’s interesting to see the distribution of Helompy based on locale over the last four months, below:

​Locale ​Percent of
total reports
​Turkey ​60.9
​Brazil ​18.7
​United States ​9.8
​Russia ​1.6
​Portugal ​1.1
​South Africa ​0.9
​all other ​6.9

 As we can clearly see from the table, more than 60% of the infections occurred in Turkey. This could suggest the initial point of propagation, or the main target.

By adding Win32/Helompy to this month's release of the MSRT, we hope to quickly remove the malware from those who are infected and limit their exposure to this keyboard logger, and subsequently eradicating Helompy from the ecosystem.


SHA1 of prevalent samples:
ee980e6dfc28e8dd33c68db4de0e118c69ed7d2d
cc5492953a1cc6e3848426b4901d652701c62304
4bd84e9d8d92b224b7cdd0058518944bf2d8365e
99cd39a9c5e49e7544d7568d1a7443bad48c4ca7

-- Daniel Radu, MMPC