Home / malwarePDF  

Trojan.VB.Yusa.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.VB.Yusa.A is also known as Trojan.Win32.VB.ZU, Troj/Yusufali-A, TROJ_CAGER.A.

Explanation :

This trojan may arrive on the infected computer:

- downloaded from internet
- dropped by malware

It is compiled in Visual Basic 6 and will run on almost all Windows platforms upt to Windows XP.

Once run, it creates the registry keys mentioned in Symptoms.
However, this is pointless, since they do not point to a valid file, thus, the virus will only be run one time, due to a bug in the code.

It remains resident and will monitor user activities, as process "Yahosin" as seen in Windows Task Manager:



running event-based triggered tasks as:

- if the current window contains (case sensitive)
Registry Editorthe window will be automatically minimised in a few seconds. Thus, Windows Registry Editor is directly affected by this behaviour.

- if the current window (of any application) contains any of the words (case sensitive):
xx
sex
teen
Phallus
jeggar
Priapus
Phallic
Penis
Exhibitionism
it will be minimised in a few seconds, and will display two images.
First, this image:



and if [Next] is clicked or after a few seconds, the second image:



After several runs ("T=" counts times run), it will display:



And if the mouse moves over that box, the next window is displayed:



not allowing the mouse to move outside the displayed box.

If any of the buttons is clicked, a log off will be performed.

However, the keyboard is still active, and the virus can be terminated inWindows Task Manager.

Last update 21 November 2011

 

TOP