SonicWALL Security Center
Share: Linkedin Share Facebook Like


Back to SonicALERT


Yahos Worm Spreading in the Wild (Aug 12, 2010)



Description


SonicWALL UTM Research team received reports of a new variant of Yahos worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AOL, Skype and MSN as well as in Social Networking site- Facebook. It also includes IRC-based backdoor capability to receive instructions from remote server.

Installation:

Drops a copy of itself:

  • %Windows%\jusched.exe - [ detected as GAV: Yahos.BA (Worm) ]

Drops the following files:

  • C:\sssA1234567890.exe - [ detected as GAV: Yahos.BA_2 (Trojan) ]
  • C:\WINDOWS\system32\rrrc.yeo - [ detected as GAV: Oficla_14 (Trojan) ]
Downloads related Malware:

  • C:\WINDOWS\system32\8c.html - [ detected as GAV: Kryptik.EVL (Trojan) ]
  • %User Profile%\fow.exe - [ detected as GAV: Kryptik.CLM (Trojan) ]
  • %User Profile%\secupdat.dat - [ detected as GAV: Cetorp.P_3 (Backdoor) ]
  • C:\WINDOWS\system32\secupdat.dat - [ detected as GAV: Cetorp.P_3 (Backdoor) ]

Creates Mutex to ensure that only one instance of the application runs in the system:

  • Micro Upe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. %User Profile% is the User folder, which is usually C:\Documents and Settings\{Current User})

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    Value: "Java developer Script Browse"
    Data: ""C:\WINDOWS\jusched.exe""

  • Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Value: "Java developer Script Browse"
    Data: ""C:\WINDOWS\jusched.exe""

  • Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
    Value: "Java developer Script Browse"
    Data: ""C:\WINDOWS\jusched.exe""

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    Value: "C:\WINDOWS\jusched.exe"
    Data: "C:\WINDOWS\jusched.exe:*:Enabled:Java developer Script Browse"

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote server to receive further instruction:
    Remote Server: ptf.messenger-update.su

    screenshot

    screenshot

    This worm will also join the following IRC Channel to receive instruction:

    • #!gf!

    The screenshot below shows the IRC communication:

    screenshot

Backdoor Functionality:
  • Spread via instant messaging
  • Update itself
  • Remove itself
  • Download and execute files

Network Activity:

This worm may download files and updates from the following addresses:

  • 95.211.130.132
  • 212.95.32.52
  • rgtryhbgddtyh.biz
  • wertdghbyrukl.ch

Propagation:

This worm propagates via the following platforms:

    Instant Messaging Application:
    • AOL
    • MSN
    • Skype
    • Yahoo Messenger

      screenshot

      screenshot

    Social Networking site:

    • Facebook

Other System Modification:

Terminates the following services:

  • Microsoft Malware Protection Service - MsMpSvc
  • Windows AutoUpdate Service - wuauserv

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

  • GAV: Yahos.BA (Worm)
  • GAV: Yahos.BA_2 (Trojan)
  • GAV: Oficla_14 (Trojan
  • GAV: Kryptik.EVL (Trojan)
  • GAV: Kryptik.CLM (Trojan)
  • GAV: Cetorp.P_3 (Backdoor)

screenshot


Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#DellSecurity
© 2014 Dell | Privacy Policy | Conditions for use | Feedback  Version: 8.2.5  S1MSW04
Live Demo | SonicALERT