Home / malware

PDF

Win32/Yeltminky

First posted on 14 March 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Yeltminky.

Explanation :

Win32/Yeltminky is a family of worms that spreads by making copies of itself on all available drives and creating an autorun.inf file to execute that copy.


Top

Win32/Yeltminky is a family of worms that spreads by making copies of itself on all available drives and creating an autorun.inf file to execute that copy.



Installation

When executed the malware makes a copy of itself in one of the following locations:

• %USERPROFILE%\<file name>.exe
• %windir%\fonts\ < file name> .fon

It may also copy itself to a secondary location.

The file name used, and the secondary location it copies itself to, is supplied as part of configuration data stored in the malware file, for example:

• %USERPROFILE%\auto.exe
• %ProgramFiles%\common files\auto.exe

The malware also drops a DLL component to one of the following locations:

• %USERPROFILE%\<random file name>.drv
• %USERPROFILE%\<random file name>.fon

The file name is randomly generated and the file extension may vary, for example:

• %USERPROFILE%\jmfxs.drv
• %windir%\fonts\evngj.fon

The DLL component may then drop a driver component with a random name in one of the following locations:

• %USERPROFILE%\<random file name>
• %windir%\fonts\<random file name>.fon

Once the driver is loaded, the file is deleted.

The worm modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "auto"
With data: "%ProgramFiles%\common files\auto.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "SysAnti"
With data: "%ProgramFiles%\common files\sysanti.exe"

The malware can also contact a remote host to provide notification of a successful infection. The host URL is provided in the configuration data.

Spreads via...

Networked and removable drives

The malware checks for all drives available from A: to Z:, and if found, it makes a copy of itself in the root directory of the drive and creates a corresponding autorun.inf file to ensure its execution.

The file name the malware uses to copy itself to is provided in configuration data stored in the malware, for example:

• <Drive>:\sysanti.exe
• <Drive>:\autorun.inf

Payload

Downloads and executes arbitrary files

The malware connects to a remote host, where it obtains a list of files to download and execute.

It then proceeds to download and execute each file. The downloaded files are written to the %Temp% directory.

Terminates processes

The malware carries a list of processes which it terminates if found executing on the infected computer. It does this by dropping the DLL component which is injected into a newly created "svchost.exe" process (the DLL component in turn drops and installs the driver).

The following is a non-exhaustive list of processes that are targeted:

• 360deepscan
• 360hotfix
• 360rp
• 360rpt
• 360Safe
• 360safebox
• 360sd
• 360tray
• adam
• AgentSvr
• AntiArp
• AppSvc32
• arvmon
• AutoGuarder
• autoruns
• avgrssvc
• AvMonitor
• avp
• avp.com
• CCenter
• ccSvcHst
• DSMain
• egui
• ekrn
• FileDsty
• findt2005
• FTCleanerShell
• HijackThis
• IceSword
• iparmo
• Iparmor
• IsHelp
• isPwdSvc
• kabaload
• KaScrScn.SCR
• KASMain
• KASTask
• KAV32
• KAVDX
• KAVPFW
• KAVSetup
• KAVStart
• killhidepid
• KISLnchr
• kissvc
• KMailMon
• KMFilter
• KPFW32
• KPFW32X
• KPFWSvc
• KRepair.COM
• krnl360svc
• KsLoader
• kswebshield
• KVCenter.kxp
• KvDetect
• kvfw
• KvfwMcl
• KVMonXP.kxp
• KVMonXP_1.kxp
• kvol
• kvolself
• KvReport.kxp
• KVScan.kxp
• KVSrvXP
• KVStub.kxp
• kvupload
• kvwsc
• KvXP.kxp
• KvXP_1.kxp
• KWatch
• KWatch9x
• KWatchX
• LiveUpdate360
• loaddll
• MagicSet
• mcconsol
• mmqczj
• mmsk
• NAVSetup
• nod32krn
• nod32kui
• PFW
• PFWLiveUpdate
• QHSET
• Ras
• Rav
• RavCopy
• RavMon
• RavMonD
• RavStore
• RavStub
• ravt08
• RavTask
• RegClean
• RegEx
• rfwcfg
• RfwMain
• rfwolusr
• rfwProxy
• rfwsrv
• RsAgent
• Rsaupd
• RsMain
• rsnetsvr
• RSTray
• runiep
• safebank
• safeboxTray
• safelive
• scan32
• ScanFrm
• shcfg32
• smartassistant
• SmartUp
• SREng
• SREngPS
• SuperKiller
• symlcsvc
• syscheck
• Syscheck2
• SysSafe
• ToolsUp
• TrojanDetector
• Trojanwall
• TrojDie.kxp
• UIHost
• UmxAgent
• UmxAttachment
• UmxCfg
• UmxFwHlp
• UmxPol
• UpLive
• WoptiClean
• ZhuDongFangYu
• zxsweep

The malware also checks for the following substrings in a process in order to terminate it:

• AutoRun
• IceSword
• NOD32
• SysCheck
• 冰刃
• 杀软
• 诺顿
• 卡巴
• æ¯Â’éÂœ¸
• æ±ÂŸæ°Â‘
• æ¸Â…道夫
• 瑞星
• æÂœ¨é©¬
• ç—…æ¯Â’
• 杀æ¯Â’
• 绿鹰
• ä¸Â“杀
• ç»Â„ç­Â–ç•¥
• 防火å¢Â™
• å®Â‰åÂ…¨å«å£«
• æ¸Â…理ä¸Â“
• äºÂ‘å®Â‰åÂ…¨

Modifies system settings

The malware creates the following registry entry:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

and uses it to prevent the execution of the following files:

• 360hotfix.exe
• 360rpt.exe
• 360Safe.exe
• 360safebox.exe
• 360tray.exe
• adam.exe
• AgentSvr.exe
• AntiArp.exe
• AppSvc32.exe
• arvmon.exe
• AutoGuarder.exe
• autoruns.exe
• avgrssvc.exe
• AvMonitor.exe
• avp.com
• avp.exe
• CCenter.exe
• ccSvcHst.exe
• FileDsty.exe
• findt2005.exe
• FTCleanerShell.exe
• HijackThis.exe
• IceSword.exe
• iparmo.exe
• Iparmor.exe
• IsHelp.exe
• isPwdSvc.exe
• kabaload.exe
• KaScrScn.SCR
• KASMain.exe
• KASTask.exe
• KAV32.exe
• KAVDX.exe
• KAVPFW.exe
• KAVSetup.exe
• KAVStart.exe
• killhidepid.exe
• KISLnchr.exe
• KMailMon.exe
• KMFilter.exe
• KPFW32.exe
• KPFW32X.exe
• KPFWSvc.exe
• KRepair.COM
• KsLoader.exe
• KVCenter.kxp
• KvDetect.exe
• kvfw.exe
• KvfwMcl.exe
• KVMonXP.kxp
• KVMonXP_1.kxp
• kvol.exe
• kvolself.exe
• KvReport.kxp
• KVScan.kxp
• KVSrvXP.exe
• KVStub.kxp
• kvupload.exe
• kvwsc.exe
• KvXP.kxp
• KvXP_1.kxp
• KWatch.exe
• KWatch9x.exe
• KWatchX.exe
• LiveUpdate360.exe
• loaddll.exe
• MagicSet.exe
• mcconsol.exe
• mmqczj.exe
• mmsk.exe
• NAVSetup.exe
• nod32krn.exe
• nod32kui.exe
• PFW.exe
• PFWLiveUpdate.exe
• QHSET.exe
• Ras.exe
• Rav.exe
• RavCopy.exe
• RavMon.exe
• RavMonD.exe
• RavStore.exe
• RavStub.exe
• ravt08.exe
• RavTask.exe
• RegClean.exe
• RegEx.exe
• rfwcfg.exe
• RfwMain.exe
• rfwolusr.exe
• rfwProxy.exe
• rfwsrv.exe
• RsAgent.exe
• Rsaupd.exe
• RsMain.exe
• rsnetsvr.exe
• RSTray.exe
• runiep.exe
• safebank.exe
• safeboxTray.exe
• safelive.exe
• scan32.exe
• ScanFrm.exe
• shcfg32.exe
• smartassistant.exe
• SmartUp.exe
• SREng.exe
• SREngPS.exe
• symlcsvc.exe
• syscheck.exe
• Syscheck2.exe
• SysSafe.exe
• ToolsUp.exe
• TrojanDetector.exe
• Trojanwall.exe
• TrojDie.kxp
• UIHost.exe
• UmxAgent.exe
• UmxAttachment.exe
• UmxCfg.exe
• UmxFwHlp.exe
• UmxPol.exe
• UpLive.exe
• WoptiClean.exe
• zxsweep.exe

Note: This list is not exhuastive.

Modifies Hosts file

The malware modifies the Hosts file in an attempt to prevent the affected user from accessing certain antivirus websites.

The list of sites it blocks access to is carried by the malware, or obtained from a remote host, which is specified in the configuration data carried by the malware.

Below are some examples of the websites it attempts to block access to:

• 360.cn
• 360.qihoo.com
• 360safe.cn
• 360safe.com
• bbs.kafan.cn
• bbs.sucop.com
• chinakv.com
• cnnod32.cn
• dl.jiangmin.com
• dswlab.com
• duba.net
• eset.com.cn
• jiangmin.com
• kafan.cn
• kaspersky.com
• kaspersky.com.cn
• lanniao.org
• nod32.com
• nod32club.com
• rising.com.cn
• shadu.duba.net
• tool.ikaka.com
• union.kingsoft.com
• virscan.org
• virustotal.com

Modifies browser settings

Win32/Yeltminky can also modify the browser start page to point to a particular URL. The URL is provided in the configuration data carried by the malware.



Analysis by Ray Roberts

Last update 14 March 2012

 

TOP