Home / malware Worm:Win32/Yimfoca.gen!C
First posted on 06 September 2011.
Source: SecurityHomeAliases :
Worm:Win32/Yimfoca.gen!C is also known as Worm.Yimfoca!qtFFN2G3iTk (VirusBuster), BackDoor.IRC.Bot.792 (Dr.Web), IRC/SdBot trojan (ESET), Trojan-Spy.Win32.SpyEyes (Ikarus), PWS-Zbot.gen.cy (McAfee), Troj/Jorik-B (Sophos), W32.Yimfoca (Symantec), WORM_PALEVO.TEL (Trend Micro).
Explanation :
Worm:Win32/Yimfoca.gen!C is a worm that spreads to other computers by using certain Instant Messaging (IM) programs. It sends a copy of itself disguised as a link to a codec required to watch a video. When run, it then attempts to stop and disable services including "wuauserv" (Windows Automatic Update) and "MsMpSvc" (Microsoft Malware Protection Service). It also attempts to delete "msseces.exe", a core component of Microsoft Security Essentials and Forefront Endpoint Protection.
Top
Worm:Win32/Yimfoca.gen!C is a worm that spreads to other computers by using certain Instant Messaging (IM) programs. It sends a copy of itself disguised as a link to a codec required to watch a video. When run, it then attempts to stop and disable services including "wuauserv" (Windows Automatic Update) and "MsMpSvc" (Microsoft Malware Protection Service). It also attempts to delete "msseces.exe", a core component of Microsoft Security Essentials and Forefront Endpoint Protection.
Installation
When executed, Worm:Win32/Yimfoca.gen!C copies itself into the Windows folder using the following file name:
- nvsvc32.exe
It creates a mutex named "Nvidia Drive Mon" to avoid multiple instances of itself from running.
It modifies the system registry so that it automatically runs every time Windows starts:
In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"
Spreads via...
Instant messaging programs
Worm:Win32/Yimfoca.gen!C spreads by sending a link to a copy of itself to all of a user's contacts in the following IM programs:
- Yahoo! Messenger
- AOL Instant Messenger
- MSN/Live Messenger
The link includes a message saying that the link supposedly points to a video that requires a special codec for viewing. However, the codec is actually a copy of the worm.
Payload
Disables services
Worm:Win32/Yimfoca.gen!C may try to stop the following services:
- wuauserv - Windows Update Automatic Update service
- MsMpSvc - Microsoft Security Essentials and Forefront Endpoint Protection security service
It issues a "net stop" command to stop the above mentioned services. Worm:Win32/Yimfoca.gen!C configures the services to run manually by running the following commands:
sc config wuauserv start= disabled
sc config MsMpSvc start= disabled
Deletes file
Worm:Win32/Yimfoca.gen!C may attempt to terminate the following process:
- msseces.exe
Once the process is terminated, the malware deletes this file, which is a core component of Microsoft Security Essentials and Forefront Endpoint Protection. The removal of this file compromises the these security software.
Connects to an IRC server
Worm:Win32/Yimfoca.gen!C may connect to certain Internet Relay Chat (IRC) servers to receive additional commands to perform on the computer. For example, It can connect to the server "142.45.193.<one digit number>" via predefined ports.
Analysis by Wei Li
Last update 06 September 2011
