Aliases: Win32.HLLP.Shodi.c, W32/Shodi.worm.d, Win32/HLLP.Shodi.C, Win32:ShodiD, Win32/Shodi.C
Variants: W32/HLLP.Shodi.C, Win32/HLLP.Shodi.C

Classification: Malware
Category: Computer Virus

Status: Inactive
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 25 Apr 2004
Damage: Low

Characteristics: The W32.Shodi.C program is a virus that pretends to be executable files.

More details about W32.Shodi.C

The W32.Shodi.C program is a virus that pretends to be executable or .exe files. It can also drop a fixed access tool. When a file contaminated w/ a W32.Shodi.C virus is opened, it extracts the original file to a file with a “.sho” extension, and then it opens it. For instance, if “notepad.exe” is contaminated, the W32.Shodi.C program will extract the notepad program to “notepad.sho” and then opens it. The virus searches for the files with “.exe” extensions on all the hard drives, beginning w/ drive C. The virus looks for the folders on the hard drive, except names such as “windows”, “system”, and “system32”. The virus doesn’t contaminate the files with names such as “iexplorer.exe”, “ccApp.exe”, and ccRegVfy.exe”. The virus conceals itself to some of the files that it locates. The W32.Shodi.Cprogram changes its icon to resemble that of the host file. The virus creates a temporary duplicate of itself as %System%Shohdi.hdi.

The W32.Shodi.C worm program can use the browser to record the user’s browsing habits. Information typed in online forms and browser fields may also be recorded. This may be stealthily sent to another person. A backdoor is also created in the computer. This is done by opening an unused system port. The W32.Shodi.C worm software uses this port to connect to a remote server. It will then wait to receive instructions that it will execute without the user’s consent.