Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Yakes.cxml
Date discovered:16/07/2013
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:Yes
File size:131.072 Bytes
MD5 checksum:07DA0AC397D191699EBF24CD473D8C79
VDF version:7.11.90.192 - Tuesday, July 16, 2013
IVDF version:7.11.90.192 - Tuesday, July 16, 2013

 General Aliases:
   •  Kaspersky: Trojan.Win32.Yakes.cxml
   •  Eset: Win32/LockScreen.AVP
   •  DrWeb: Trojan.Siggen5.36824


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Third party control
   • Falsely reports malware infection or system problems and offers to fix them if the user buys the application.


Right after execution the following information is displayed:

The picture has been edited for display purpose.

 Files It copies itself to the following location:
   • %APPDATA%\cache.dat




It tries to download some files:

– The location is the following:
   • http://bvhto.com/ytmxykvq-srzn-yjbqgoqsvltmih-onba_ygak-jwwp-pyrnftvnxynn-nfrivrzhco-iqca-usriuo-bfju-nenqnhqsne-.php


– The location is the following:
   • http://crnxt.net/gd-qkkd-vttsorqpnhrnux-lafz-yvms-xciqjlviehcolargkguqybbw-difrcbuotf-rcsnkosrddvnalliigvral.php


– The location is the following:
   • http://awocl.su/xyawrkow-pvpzturnkbbinazv-fmxo-exsyfptwddopznvkynohcubijgbqcr-vtks-lxxtxy-pqga-pvej-rdmyoxfy.php

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "shell"="explorer.exe,%APPDATA%\cache.dat"

 Injection – It injects itself into a process.

    Process name:
   • svchost.exe


 File details Programming language:
The malware program was written in MS Visual C++.

Description inserted by Andrei Ivanes on Thursday, July 18, 2013
Description updated by Andrei Ivanes on Thursday, July 18, 2013

Back . . . .