PDA

View Full Version : Ecard danger


caleb_yee
26-08-03, 17:10
W32.HLLW.Yodo.B is a mass-mailing worm that sends itself through any MAPI-compliant email client, including Microsoft Outlook.

The mail has the following characteristics:

Subject: A E-card just for you from your friend
Message: Hello. I just wanted to send you this e-card to show you how much of a friend you are to me! Please look at the attached E-card.
Scanned with Norton Anti-Virus
Attachment: ecard.exe

When W32.HLLW.Yodo.B runs, it performs the following actions:

Displays the following message:
http://www.symantec.com/avcenter/graphics/w32.hllw.yodo.b.1.gif

Copies itself as the following:

%Windir%\ecard.exe.
%System%\ecard.exe

NOTES:
%Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
%System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Adds a value:

"E-Card"="ecard.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

so that the worm runs when Windows starts.

Deletes the following files:

%Windir%\*.ini
%System%\regedt32.exe

Sends itself through any MAPI-compliant email client, including Microsoft Outlook.

The mail has the following characteristics:

Subject: A E-card just for you from your friend
Message: Hello. I just wanted to send you this e-card to show you how much of a friend you are to me! Please look at the attached E-card.
Scanned with Norton Anti-Virus
Attachment: ecard.exe

Removal instrutions
1.Disable System Restore (Windows Me/XP).
2.Update the virus definitions.
3.Run a full system scan and delete all the files detected as W32.HLLW.Yodo.B.
4.Delete the value that was added to the registry.

No jokes....beware people...this look nasty
Restore the files that the worm deleted