Virus:Worm/Yahos.rm
Date discovered:07/02/2011
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:98.304 Bytes
MD5 checksum:D71CF2E90CE9C5A7045154CB85D7223D
VDF version:7.10.08.136
IVDF version:7.11.02.84 - Monday, February 7, 2011

 General Method of propagation:
   • Messenger


Aliases:
   •  Mcafee: W32/Sdbot.bfr!a
   •  Kaspersky: IM-Worm.Win32.Yahos.rm
   •  TrendMicro: TROJ_SLENFBOT.SM
   •  F-Secure: IM-Worm.Win32.Yahos.rm
   •  Sophos: W32/Slenfbot-K
   •  VirusBuster: Worm.Yahos!yvpGUw5B++g
   •  DrWeb: Win32.HLLW.Oscar.35
   •  Fortinet: W32/SLENFBOT.SM!tr
   •  Norman: W32/Slenfbot.T


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Drops a file
   • Lowers security settings
   • Records keystrokes
   • Registry modification
   • Opens website in web browser

 Files It copies itself to the following location:
   • %WINDIR%\nvsvc32.exe



The following file is created:

– Non malicious file:
   • %WINDIR%\ntdll.dl




It tries to execute the following files:

– Filename:
   • %SYSDIR%\net.exe


– Filename:
   • %SYSDIR%\netsh.exe
using the following command line arguments: netsh firewall add allowedprogram 1.exe 1 ENABLE


– Filename:
   • %SYSDIR%\ntvdm.exe
using the following command line arguments: -f -i1


– Filename:
   • %SYSDIR%\ntvdm.exe
using the following command line arguments: -f -i2


– Filename:
   • %SYSDIR%\sc.exe
using the following command line arguments: config wuauserv start= disabled


– Filename:
   • %SYSDIR%\sc.exe
using the following command line arguments: config MsMpSvc start= disabled


– Filename:
   • %WINDIR%\explorer.exe
using the following command line arguments: http://browseusers.myspa**********.com/Browse/Browse.aspx

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\
   Install\Software\Microsoft\Windows\CurrentVersion\Run]
   • "NVIDIA driver monitor"="%WINDIR%\nvsvc32.exe"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%malware execution directory%\%executed
      file%.exe"="%WINDIR%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"



The following registry keys are changed:

Lower security settings from Internet Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
   ZoneMap]
   New value:
   • "ProxyBypass"=dword:00000001
   • "IntranetName"=dword:00000001
   • "UNCAsIntranet"=dword:00000001

– [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
   New value:
   • "MigrateProxy"=dword:00000001
   • "ProxyEnable"=dword:00000000
   • "ProxyServer"=-
   • "ProxyOverride"=-
   • "AutoConfigURL"=-

– [HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\
   Internet Settings]
   New value:
   • "ProxyEnable"=dword:00000000

 Messenger It is spreading via Messenger. The characteristics are described below:

– Yahoo Messenger


Message

   • %gathered from the internet%

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: %IRC server%
Port: 1234
Server password: xxx
Channel: !nn!
Nickname: NEW-[GBR|00|P|%random numbers%]
Password: test



– This malware has the ability to collect and send the following information:
    • Information about the Windows operating system


– Furthermore it has the ability to perform the following action:
    • connect to IRC server
    • disconnect from IRC server
    • Join IRC channel
    • Leave IRC channel

 Miscellaneous Internet connection:

It queries with the following names:
   • astro.ic.**********.uk
   • ale.pakibi**********.com
   • api.albertoshisto**********.info
   • journalofaccountan**********.com
   • transnationa**********.org
   • mas.0730**********.com
   • stayonti**********.info
   • www.shearm**********.com
   • insidehigher**********.com
   • ate.lacoctele**********.net
   • websitetraffics**********.com
   • qun.5**********.com
   • summer-uni-sw.**********.ch
   • shopsty**********.com
   • xxx.stopklat**********.pl
   • browseusers.myspa**********.com
   • unclef**********.com
   • www.myspa**********.com
   • mcsp.lvengi**********.com
   • deirdremcclosk**********.org
   • journals.**********.com
   • middleastpo**********.org
   • mas.archiv**********.info
   • scribbidyscru**********.com
   • mas.mti**********.com
   • ols.systemofado**********.com
   • tripadvis**********.com
   • mas.tgu**********.cl
   • x.myspacec**********.com
   • albertoshisto**********.info
   • mas.josba**********.com
   • erdbeerloun**********.de
   • mas.juegosbakug**********.net
   • screenservi**********.com
   • xxx.jagdc**********.de
   • old.longjuyt2tug**********.com
   • heidegger.**********.net
   • southampton.**********.uk
   • ope.oaklandathleti**********.com
   • mix.price-erotske.**********.rs
   • uks.linked**********.com
   • ftp.phoenix-**********.net
   • opl.munin.**********.se
   • jb.a**********.org
   • mas.ahlamonta**********.com
   • mas.univie.**********.at
   • pru.landmin**********.org
   • epp.gunmabl**********.jp
   • mix.thenaturistcl**********.com
   • beta.neog**********.ro
   • old.you**********.com
   • goodrea**********.com
   • hrm.**********.edu
   • refugee-action.**********.uk
   • mmm.bolbalatr**********.org
   • pra.a**********.org
   • www.facebo**********.com
   • rlacouts**********.com
   • t3.gstat**********.com
Accesses internet resources:
   • http://browseusers.myspa**********.com/Browse/Browse.aspx
   • http://www.myspa**********.com/browse/people
   • http://174.37.200.**********/config.php
   • http://www.facebo**********.com/home.php
   • http://www.facebo**********.com/login.php

 File details Programming language:
 The malware program was written in MS Visual C++.


Compilation date:
Date: 05/02/2011
Time: 17:38:51

Description inserted by Alexander Bauer on Tuesday, February 8, 2011
Description updated by Andrei Ivanes on Friday, February 11, 2011

Back . . . .