Aliases: HLLC.HappyFlowers, W32.Walcomp
Variants: happylow, w32/nishe-a

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: North and South America, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 10 Sep 2002
Damage: Low

Characteristics: When extracted into a vulnerable computer system, this virus will scan for the presence of EXE file formats. The W32.HLLC.Happylow will then proceed to rename all the executable files by changing them to the WAL file extension. It then takes over the identity of the original executable file to trick the computer user into launching the threat in the compromised computer system. The original EXE file remains encrypted and is not removed from the machine.

More details about W32.HLLC.Happylow

In order to infect a vulnerable computer system, the W32.HLLC.Happylow will attempt to extract its executable trigger file into the same directory folder as that used by the operating system. Once successful it will proceed by modifying key values in the Windows Registry so that it will be included in the services that are loaded by the operating system at every restart of boot up process. When the W32.HLLC.Happylow has established its presence in the infected computer system it will proceed by encrypting all executable files in the same folder where it resides and assuming the identity of the encrypted file. If a computer user clicks on a hijacked file, the W32.HLLC.Happylow will decrypt the original executable file and launch it to prevent arousing suspicion.

This execution routine of the W32.HLLC.Happylow is commonly referred to as Companion because it keeps the original version of the infected file rather than deleting or overwriting it. This particular computer threat also scans for specific trigger text strings typed by the computer user. Once one of these words are encountered by the W32.HLLC.Happylow it will begin to deliver its payload to the infected computer system. The W32.HLLC.Happylow belongs to a group of malware which are considered as annoying rather than destructive. This is because its payload consists mostly of displaying colorful graphical flowers on the infected machine's screen.