W32.HLLW.Yodo is a worm that spreads through the KaZaA file-sharing network. It copies itself as C:\Windows\System32\Updater.exe.

W32.HLLW.Yodo is written in the Microsoft Visual Basic programming language.

Type: Worm
Infection Length: 73,728 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX

THREAT ASSESSMENT

Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Threat Metrics


Wild:
Low
Damage:
Low
Distribution:
Medium



Distribution

Shared drives: Shares itself over the KaZaA file-sharing network.

TECHNICAL DETAILS
When W32.HLLW.Yodo runs, it does the following:


Copies itself as C:\Windows\System32\Updater.exe.


Adds the value:

"Windowz Update V2.0"="%Windir%\System32\Explorer.exe"

to the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run


Copies itself to the Kazaa shared folders:
C:\Program~1\KAZAA\MYSHAR~1\
C:\Program~1\KAZAAL~1\MYSHAR~1\

as the following files:

Hentai game
Windows XP
Halflife
Keygen


Display various messages, such as:
Greetings from the underground to those in the normal world
Hello Again Dolly! This time we are back for Round 2. Hope your Ready ^_^
For complete details visit:
http://securityresponse.symantec.com...hllw.yodo.html

Cheers,
BD]Hobbit