Home / malwarePDF  

Trojan:Win32/Yektel.A


First posted on 16 February 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Yektel.A is also known as Also Known As:Win32/Warax.P (CA), Trojan.Win32.FraudPack.gen (Kaspersky), Downloader.MisleadApp (Symantec), FakeAlert-AB (McAfee).

Explanation :

Win32/Yektel is a family of trojans that display fake warnings of spyware or malware in an attempt to lure the user into installing or paying money to register rogue security products such as Trojan:Win32/FakeXPA. It is downloaded by most variants of Win32/FakeXPA.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>explorer32.exe
    <system folder>ieupdates.exe
    <system folder>winsrc.dll
  • The presence of the following registry modifications (for example):
    Adds value: "ieupdates"
    • With data: "<system folder>ieupdates.exe"To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun Adds value: "ieupdate"With data: "<system folder>explorer32.exe "To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
    Sets value: (default)With data: "<system folder>winsrc.dll"In subkey: HKCRCLSID{037C7B8A-151A-49E6-BAED-CC05FCB50328}InprocServer32 Sets value: (default)With data: "&Research"In subkey: HKCRCLSID{037C7B8A-151A-49E6-BAED-CC05FCB50328}
  • The display of the following messages, or similar:




    • Win32/Yektel is a family of trojans that display fake warnings of spyware or malware in an attempt to lure the user into installing or paying money to register rogue security products such as Trojan:Win32/FakeXPA. It is downloaded by most variants of Win32/FakeXPA.

    Installation
    Each Win32/Yektel variant consists of an EXE (TrojanDownloader:Win32/Yektel) which downloads and installs a DLL (Trojan:Win32/Yektel) as a BHO (Browser Helper Object). TrojanDownloader:Win32/Yektel usually copies itself to one or both of these file names: <system folder>explorer32.exe<system folder>ieupdates.exe It modifies the registry to execute one of these copies each time Windows starts, e.g.: Adds value: "ieupdates"With data: "<system folder>ieupdates.exe"To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun Or: Adds value: "ieupdate"With data: "<system folder>explorer32.exe "To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun The downloader usually saves Trojan:Win32/Yektel.A as:<system folder>winsrc.dll This DLL is installed as a BHO by setting registry entries such as these: Creates key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{037C7B8A-151A-49E6-BAED-CC05FCB50328} Sets value: (default)With data: "<system folder>winsrc.dll"In subkey: HKCRCLSID{037C7B8A-151A-49E6-BAED-CC05FCB50328}InprocServer32 Sets value: (default)With data: "&Research"In subkey: HKCRCLSID{037C7B8A-151A-49E6-BAED-CC05FCB50328}

    Payload
    Displays Misleading MessagesWin32/Yektel displays warnings and recommendations in Internet Explorer. These include messages that appear at the top of the Internet Explorer window, mimicking IE drop-down messages: The above appears on top of web pages that the user visits. The trojan may also display a fake warning page instead of a requested web page: Both of the above messages are displayed at random times while browsing. A third type of message is added into all web pages retrieved from any URL containing the string “google”: Clicking on any of the links in any of these messages usually leads to web site that encourages the user to pay money to register a rogue security product such as Win32/FakeXPA. Win32/Yektel will not display fake warning messages when the user visits any domains from a list stored inside the trojan, such as: antivirus2009online.comantivirus-2009pro.comantivirus2009-software.comantivirusa2.comantivirusa2.comantivirus-database.comantivirusprotection2009.combillingserviceonline.combrowsersecuritycenter.cometicketsclub.comextrabilling.comfileshredder2008.comfileshreddersoftware.cominnovagest2000sl.cominternetscannerlive.commyantivirusprotection2009.compandora-software.compsbill.compurchase-anti.compurchase-soft.comsecure.billingware.netsecure.extrabilling.comsecure.innovagest.2000sl.comsecuretds-a5.comsoftware-payment.comstock-flow.comtrafficrotator.netupdate-direct.comupdateserver6.comwoodpckr-a2.comwoodpckr-a2.comwoodst-sale.comxp-antivirus.comxpantivirussecurity.comxpprotectionsoftware.com

    Analysis by Hamish O'Dea

    Last update 16 February 2009

     

    TOP

    Malware :

    Family: