W32.HLLW.Caspid

W32.HLLW.Caspid is a worm that spreads through file-sharing networks, such as Morpheus and KaZaA. It is a virus that infects HTML files. This worm may also spread through email by setting itself as the default stationery used in email messages.

W32.HLLW.Caspid takes advantage of a vulnerability described in MS03-14, which allows for the execution of a MIME-encoded program inside an HTML file.

This worm is written in Visual Basic and is packed with UPX.

The existence of %Windir%\Capside.exe or %Windir%\Capside.htm is an indication of infection.

Protection

• Initial Rapid Release version September 11, 2003
• Latest Rapid Release version August 20, 2008 revision 017
• Initial Daily Certified version September 11, 2003
• Latest Daily Certified version January 20, 2009 revision 048
• Initial Weekly Certified release date September 11, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Medium

Distribution

• Distribution Level: Medium