McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Yodo@mm (Symantec)

Characteristics

This is an email worm written in MSVB.

Mail Propagation

This worm uses its own SMTP engine and attempts to mail itself out from infected machines.  It searches for email addresses within files which have the following extensions:

• txt
• htm
• csv
• doc
•  rtf
•  php
• html

The email has the following characteristics:

Subject:
Fun game!
Message:
Please see the attachment! I scanned it for viruses before I sent it out. it's a really cool game!
Scanned with Norton Anti-Virus

Attachment:
flash-game.exe

Installation

The worm installs itself onto the victim machine as

• C:\shost.exe
• C:\flash-game.exe
  

It also drops an innocent file called MSWINSCK.OCX (File size = 109,248 bytes) on to the root of C: drive.

The following Registry key is set to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsft\Windows\CurrentVersion\Run\
  "hellodolly" = shost.exe

On September 14th of any year, if the system time is 1:00 p.m, the dialogue is displayed on screen:

Symptoms

Existence of the files and Registry keys detailed above.

Method of Infection

This worm spreads via mailing itself (using it's own SMTP engine) to recipients found inside files with extensions:

• txt
• htm
• csv
• doc
•  rtf
•  php
• html

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Yodo@mm (Symantec)

Characteristics

Characteristics -

This is an email worm written in MSVB.

Mail Propagation

This worm uses its own SMTP engine and attempts to mail itself out from infected machines.  It searches for email addresses within files which have the following extensions:

• txt
• htm
• csv
• doc
•  rtf
•  php
• html

The email has the following characteristics:

Subject:
Fun game!
Message:
Please see the attachment! I scanned it for viruses before I sent it out. it's a really cool game!
Scanned with Norton Anti-Virus

Attachment:
flash-game.exe

Installation

The worm installs itself onto the victim machine as

• C:\shost.exe
• C:\flash-game.exe
  

It also drops an innocent file called MSWINSCK.OCX (File size = 109,248 bytes) on to the root of C: drive.

The following Registry key is set to hook system startup:

• HKEY_LOCAL_MACHINE\Software\Microsft\Windows\CurrentVersion\Run\
  "hellodolly" = shost.exe

On September 14th of any year, if the system time is 1:00 p.m, the dialogue is displayed on screen:

Symptoms

Symptoms -

Existence of the files and Registry keys detailed above.

Method of Infection

Method of Infection -

This worm spreads via mailing itself (using it's own SMTP engine) to recipients found inside files with extensions:

• txt
• htm
• csv
• doc
•  rtf
•  php
• html

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A