Home / malwarePDF  

Worm:Win32/YahLover.M


First posted on 20 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/YahLover.M.

Explanation :

Threat behavior

Installation

Worm:Win32/YahLover.M copies itself to the following locations:

  • %windir%\system32_.exe
  • \system32_.exe
The malware changes the following registry entries so that it runs each time you start your PC:

Sets value: "Yahoo Messengger"
With data: "c:\windows\system32\system32_.exe"
In subkey: HKCU\Software\Microsoft\windows\currentversion\run Sets value: "Shell"
With data: "explorer.exe system32_.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon The malware creates the following files on your PC:
  • c:\documents and settings\administrator\desktop\sioril.lnk
  • c:\documents and settings\administrator\favorites\make friends.lnk
  • c:\documents and settings\administrator\my documents\new jobs info.lnk
  • c:\documents and settings\administrator\start menu\programs\startup\gogle.lnk
  • c:\documents and settings\all users\start menu\programs\startup\google.lnk
The malware tries to create a scheduled Windows task that runs the worm at 09:00 am every day of the week, by running the following Windows shell command instruction:

cmd.exe /C AT /delete /yes
cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su \system32_.exe

Payload

Changes system settings

Worm:Win32/YahLover.M overrides the timeout period so that scheduled tasks aren't stopped after a timeout. It does this by making the following registry change:

Sets value: "AtTaskMaxHours"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule Changes browser settings

The malware changes the start page for Internet Explorer to http://www.todaygoogle.com by making the following registry modification:

Sets value: "Start Page"
With data: "http://www.todaygoogle.com"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
This malware description was produced and published using automated analysis of file SHA1 e9e6880a596dc606e6c21aee625f7e54106bf229.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    %windir%\system32_.exe
    \system32_.exe
    c:\documents and settings\administrator\desktop\sioril.lnk
    c:\documents and settings\administrator\favorites\make friends.lnk
    c:\documents and settings\administrator\my documents\new jobs info.lnk
    c:\documents and settings\administrator\start menu\programs\startup\gogle.lnk
    c:\documents and settings\all users\start menu\programs\startup\google.lnk
  • You see these entries or keys in your registry:

    Sets value: "Yahoo Messengger"
    With data: "c:\windows\system32\system32_.exe"
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Sets value: "Shell"
    With data: "explorer.exe system32_.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Sets value: "AtTaskMaxHours"
    With data: "0"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule

    Sets value: "Start Page"
    With data: "http://www.todaygoogle.com"
    In subkey: HKCU\Software\Microsoft\Internet Explorer\Main

Last update 20 October 2014

 

TOP

Malware :

Family: