Home / malware Trojan:Win32/Yayih.A
First posted on 08 March 2012.
Source: MicrosoftAliases :
Trojan:Win32/Yayih.A is also known as Win-Trojan/Yayih.4861440 (AhnLab), Trojan.Win32.AntiAV.ptv (Kaspersky), Trojan.AntiAV!zoXUT5UuOF4 (VirusBuster), Gen:Variant.Graftor.15447 (BitDefender), Trojan.Win32.Yayih (Ikarus).
Explanation :
Trojan:Win32/Yayih.A is a trojan that attempts to send information about the affected computer to a remote server. It may also download other files.
Top
Trojan:Win32/Yayih.A is a trojan that attempts to send information about the affected computer to a remote server. It may also download other files.
In the wild, we have observed Trojan:Win32/Yayih.A to be dropped by or embedded in other malware such as Trojan:Win32/Rtfdrop.C and Exploit:Win32/CVE-2012-0754.A.
Installation
When executed, Trojan:Win32/Yayih.A drops a copy of itself in the %CommonProgramFiles% folder. If this folder does not exist, it drops its copy in one of the following hard-coded paths:
- C:\Program Files\Common Files\console.exe
- C:\Program Files\Common Files\mswab.exe
However, if a folder named "Kaspersky" exists in the %ProgramFiles% folder, it does not drop its copy in %CommonProgramFiles%.
Trojan:Win32/Yayih.A creates the following registry entry so that it runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "common"
With data: "<malware path and file name>"
It may also create the following file in which it stores string-data:
%LocalAppData%\aumLib.ini
Trojan:Win32/Yayih.A also creates a mutex named "abcdef" to ensure that only one copy is running on the affected computer at any given time.
Payload
Connects to a remote server
Trojan:Win32/Yayih.A connects to certain servers via an HTTP POST command to send back information about the affected computer. The URL of the POST command has the following format:
http://<server>/bbs/i<removed>o.asp
We have observed <server> to be any of the following:
0426.longmusic.com
0426dk.longmusic.com
0524.mypicture.info
0825.x24hr.com
accout.mrbasic.com
aolserver.rebatesrule.net
apport.myz.info
backup.toh.info
bb.ocry.com
cooper.mylftv.com
currentversion.sixth.biz
dd521.dhcp.biz
direct.zyns.com
dns2name.ddns.info
documents.mypicture.info
dyns.acmetoy.com
dyns.ezua.com
essanavy.com
fburwell.4pu.com
fburwell.my03.com
fburwell.mypicture.info
fburwellport.my03.com
ferrari.my03.com
flash.ezua.com
fordfoundation.almostmy.com
fordoundation.almostmy.com
fresh.lflink.com
ftp.accout.mrbasic.com
ftp.cooper.mylftv.com
ftp.dd521.dhcp.biz
ftp.dns2name.ddns.info
ftp.documents.mypicture.info
ftp.flash.ezua.com
ftp.fordoundation.almostmy.com
ftp.fresh.lflink.com
ftp.google.otzo.com
ftp.hhs.freetcp.com
ftp.mosfdns.ddns.ms
ftp.msn.epac.to
ftp.pdffor.itsaol.com
ftp.scooper.ourhobby.com
ftp.stategov.ddns.me.uk
ftp.view.freeddns.com
ftp.yahoo123.epac.to
ftp.yhaoo.mrface.com
gemelafirst.zyns.com
google.otzo.com
googleserv.ns01.us
haoxiangjia.changeip.net
hello.mefound.com
hhs.freetcp.com
iphone4.dnsrd.com
iphone4.jetos.com
kaqinsiji.dnset.com
logintal.essanavy.com
mail.essanavy.com
mosfdns.ddns.ms
msn.epac.to
nga.essanavy.com
pdffor.itsaol.com
port-thop.epac.to
port.flash.ezua.com
port.wikaba.com
portal.ygto.com
rasmu.qpoe.com
rbcuser.dynssl.com
sat.lflinkup.net
satbf.lflinkup.net
satp.lflinkup.net
satxn.lflinkup.net
satxnp.lflinkup.net
scooper.ourhobby.com
scott.mrface.com
ser.essanavy.com
serval.essanavy.com
serveral.essanavy.com
stategov.ddns.me.uk
thop.epac.to
tokyoip.freewww.info
tokyonews.edns.biz
view.freeddns.com
vpn.dnsrd.com
vpndk.dnsrd.com
vpnlogin.essanavy.com
warp.essanavy.com
wha.qpoe.com
yahoo123.epac.to
yhaoo.mrface.com
The information that is sent back to the server has the following format:
<computer name>|<predefined value>|<IP Address>|<operating system version>
where <predefined value> is a string hard-coded in the malware or read from the file "aumLib.ini".
Sample data may appear similar to the following:
ADMINPC|us0302|192.168.1.1|WinNT v5.1 build 2600 - Service Pack 3
Trojan:Win32/Yayih.A may also download other files from these servers. The downloaded file may be saved as Appmt.exe.
It may also receive commands from the remote server to perform on the affected computer.
Analysis by Ric Robielos
Last update 08 March 2012