Home / malwarePDF  

Worm:Win32/YahLover.L


First posted on 20 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/YahLover.L.

Explanation :

Threat behavior

Installation

Worm:Win32/YahLover.L copies itself to the following locations:

  • %windir%\system32_.exe
  • \system32_.exe
The malware changes the following registry entries so that it runs each time you start your PC:

Sets value: "Shell"
With data: "explorer.exe system32_.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon The malware creates the following files on your PC:
  • c:\documents and settings\administrator\desktop\sioril.lnk
  • c:\documents and settings\administrator\favorites\make friends.lnk
  • c:\documents and settings\administrator\my documents\new jobs info.lnk
  • c:\documents and settings\administrator\start menu\programs\startup\gogle.lnk
  • c:\documents and settings\all users\start menu\programs\startup\google.lnk
The malware tries to create a scheduled Windows task that runs the worm at 09:00 am every day of the week, by running the following Windows shell command instruction:

cmd.exe /C AT /delete /yes
cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su \system32_.exe

Payload

Changes system settings
Worm:Win32/YahLover.L overrides the timeout period so that scheduled tasks aren't stopped after a timeout. It does this by making the following registry change:

Sets value: "AtTaskMaxHours"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule Contacts remote host
The malware might contact a remote host at h1.ripway.com using port 80. Commonly, malware does this to:
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 2862bd5e0557d5e69d1db7f8d7654c04ce6e249c.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    %windir%\system32_.exe
    \system32_.exe
    c:\documents and settings\administrator\desktop\sioril.lnk
    c:\documents and settings\administrator\favorites\make friends.lnk
    c:\documents and settings\administrator\my documents\new jobs info.lnk
    c:\documents and settings\administrator\start menu\programs\startup\gogle.lnk
    c:\documents and settings\all users\start menu\programs\startup\google.lnk
  • You see these entries or keys in your registry:

    Sets value: "Shell"
    With data: "explorer.exe system32_.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Sets value: "AtTaskMaxHours"
    With data: "0"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule

Last update 20 October 2014

 

TOP

Malware :

Family: