SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Yahos Worm Spreading in the Wild (Aug 12, 2010)


SonicWALL UTM Research team received reports of a new variant of Yahos worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AOL, Skype and MSN as well as in Social Networking site- Facebook. It also includes IRC-based backdoor capability to receive instructions from remote server.


Drops a copy of itself:

  • %Windows%\jusched.exe - [ detected as GAV: Yahos.BA (Worm) ]

Drops the following files:

  • C:\sssA1234567890.exe - [ detected as GAV: Yahos.BA_2 (Trojan) ]
  • C:\WINDOWS\system32\rrrc.yeo - [ detected as GAV: Oficla_14 (Trojan) ]
Downloads related Malware:

  • C:\WINDOWS\system32\8c.html - [ detected as GAV: Kryptik.EVL (Trojan) ]
  • %User Profile%\fow.exe - [ detected as GAV: Kryptik.CLM (Trojan) ]
  • %User Profile%\secupdat.dat - [ detected as GAV: Cetorp.P_3 (Backdoor) ]
  • C:\WINDOWS\system32\secupdat.dat - [ detected as GAV: Cetorp.P_3 (Backdoor) ]

Creates Mutex to ensure that only one instance of the application runs in the system:

  • Micro Upe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT. %User Profile% is the User folder, which is usually C:\Documents and Settings\{Current User})

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    Value: "Java developer Script Browse"
    Data: ""C:\WINDOWS\jusched.exe""

  • Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    Value: "Java developer Script Browse"
    Data: ""C:\WINDOWS\jusched.exe""

  • Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
    Value: "Java developer Script Browse"
    Data: ""C:\WINDOWS\jusched.exe""

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    Value: "C:\WINDOWS\jusched.exe"
    Data: "C:\WINDOWS\jusched.exe:*:Enabled:Java developer Script Browse"

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote server to receive further instruction:
    Remote Server:



    This worm will also join the following IRC Channel to receive instruction:

    • #!gf!

    The screenshot below shows the IRC communication:


Backdoor Functionality:
  • Spread via instant messaging
  • Update itself
  • Remove itself
  • Download and execute files

Network Activity:

This worm may download files and updates from the following addresses:



This worm propagates via the following platforms:

    Instant Messaging Application:
    • AOL
    • MSN
    • Skype
    • Yahoo Messenger



    Social Networking site:

    • Facebook

Other System Modification:

Terminates the following services:

  • Microsoft Malware Protection Service - MsMpSvc
  • Windows AutoUpdate Service - wuauserv

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

  • GAV: Yahos.BA (Worm)
  • GAV: Yahos.BA_2 (Trojan)
  • GAV: Oficla_14 (Trojan
  • GAV: Kryptik.EVL (Trojan)
  • GAV: Kryptik.CLM (Trojan)
  • GAV: Cetorp.P_3 (Backdoor)


Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 16.7 | S2MSW03