W32.HLLW.Yodo is a worm that spreads through the KaZaA file-sharing network. It copies itself as C:\Windows\System32\Updater.exe.
W32.HLLW.Yodo is written in the Microsoft Visual Basic programming language.
Type: Worm
Infection Length: 73,728 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
THREAT ASSESSMENT
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
Low
Damage:
Low
Distribution:
Medium
Distribution
Shared drives: Shares itself over the KaZaA file-sharing network.
TECHNICAL DETAILS
When W32.HLLW.Yodo runs, it does the following:
Copies itself as C:\Windows\System32\Updater.exe.
Adds the value:
"Windowz Update V2.0"="%Windir%\System32\Explorer.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Copies itself to the Kazaa shared folders:
C:\Program~1\KAZAA\MYSHAR~1\
C:\Program~1\KAZAAL~1\MYSHAR~1\
as the following files:
Hentai game
Windows XP
Halflife
Keygen
Display various messages, such as:
Greetings from the underground to those in the normal world
Hello Again Dolly! This time we are back for Round 2. Hope your Ready ^_^