The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1


Detected Feb 14 2011 04:17 GMT
Released Feb 14 2011 08:27 GMT

This is a description which has been automatically generated following analysis of this program on a test machine. This description may contain incomplete or inaccurate information.


Technical details

File size of 43008 bytes.


Makes copies of itself with the following names once launched:

  • Windows system directory (usually, C:\Windows\System32) %System%\WinH81.exe

Ensures Using the system registry, system services or special system files, the program can launch itself or launch the creation of its files every time the Windows OS is subsequently booted autorun of the following installed files:

using system services:
Service name:WinH81
Displayed service name:Windows81
Startup parameters Windows system directory (usually, C:\Windows\System32) %System%\WinH81.exe
Startup type:­automatic­

Other activities

Runs the following files (commands):

  • Windows system directory (usually, C:\Windows\System32) %System%\WinH81.exe (­implements multiple launch­)

Modifies the system registry keys:

[ System registry hive HKEY_LOCAL_MACHINEHKLM\SYSTEM\ControlSet001\Services\WinH81 ] "Description" = "Windows Help System81"

Deletes the following files on an infected computer:

  • <­path to source program­><­file of source program ­>
  • 8.txt

Bookmark and Share

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Trojan.Win32.Yoddos.b (Kaspersky Lab) is also known as:

  • Trojan: New Malware.cn (McAfee)
  • Mal/Generic-L (Sophos)
  • W32/Dropper.6!Generic (FPROT)
  • Trojan:Win32/Yoddos.A (MS(OneCare))
  • BackDoor.Darkshell.246 (DrWeb)
  • Trojan.Packed.194 (DrWeb)
  • Win32/Kryptik.KAR trojan (Nod32)
  • Gen:Variant.Kazy.9710 (BitDef7)
  • Trojan.Kryptik!/zmQtzAQ6Uw (VirusBuster)
  • Win32:Malware-gen (AVAST)
  • Trojan.Win32.Yoddos (Ikarus)
  • DDoS.S (AVG)
  • BACKDOOR.Trojan (NAV)
  • NseCheckFile2() returned 0x00010018 (Norman)
  • Trojan.Win32.Generic.1274DB4B (Rising)
  • Trojan.Kryptik!/zmQtzAQ6Uw (VirusBusterBeta)