W32.HLLW.Cozit

W32.HLLW.Cozit is a worm that spreads using the KaZaA peer-to-peer network. It is written in Borland C++ and packed by the UPX runtime packer. It copies itself to the Windows folder as Svchost.exe and changes the registry to run this file whenever you start Windows. When the worm is executed, it copies itself to the KaZaA download folder using a file name chosen at random from a list that the worm carries. On December 1, the worm will display a message in the title bar of the foreground window.

Protection

• Initial Rapid Release version October 18, 2002
• Latest Rapid Release version October 18, 2002
• Initial Daily Certified version October 18, 2002
• Latest Daily Certified version October 18, 2002
• Initial Weekly Certified release date October 23, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Medium