W32.HLLW.Oror.B@mm

W32.HLLW.Oror@mm is a mass-mailing worm that sends itself to all email addresses that it finds in incoming messages. The worm also spreads by using mIRC, network shares, and mapped drives. It attempts to close windows and delete files of various antivirus and firewall programs. Generally, the email message is constructed mainly from randomly selected combinations of strings. However, some email messages are not constructed randomly; these email messages will be one of the following:

Subject: Blondinkii
Attachment: Blondies.exe

Subject: <Infected computer's current user name> sent you a Yahoo! Greeting_
Attachment: Yahoo!Tomcats.exe

Subject: Microsoft Bulgaria_
Attachment: IE_0274_bg.exe

Subject:  Vajno_
Attachment: IE50_032_Setup.exe

Subject: WinAmp Team_
Attachment: Iguana1.0_skin.exe

Subject: Virus Alert_
Attachment: IE_0276_Setup.exe

Subject: Yahoo! Toolbar_
Attachment: Yahoo!Toolbar.exe

Protection

• Initial Rapid Release version November 6, 2002
• Latest Rapid Release version June 22, 2009 revision 066
• Initial Daily Certified version November 6, 2002
• Latest Daily Certified version June 19, 2009 revision 051
• Initial Weekly Certified release date November 6, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Medium

Distribution

• Distribution Level: High