Virus

W32/Yahlover.C!worm

Analysis

W32/Yahlover.C!worm is classified as an Internet worm. Internet worms have the functionality to spread to other systems using NetBIOS/SMB, SMTP, MSN Messenger, P2P applications, or mobile networks.
This worm modifies system settings that can compromise overall system security. It also downloads files from the Internet.

  • It drops the following files:
    • undefinedWINDOWSundefined\chrome.exe: copy of itself
    • undefinedSYSTEMundefined\chrome.exe: copy of itself
    • undefinedWINDOWSundefined\Tasks\At1.job: job to execute itself everyday
    • undefinedSYSTEMundefined\autorun.ini

  • It adds the following registry keys:
    • key: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer
    • key: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel

  • It adds the following registry values:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
    • value: AtTaskMaxHours
    • data: 0

  • It modifies the following registry values:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
    • value: NextAtJobId
    • data: 2
    • key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
    • value: Shell
    • data: Explorer.exe chrome.exe
    • key: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
    • value: Default_Page_URL, Default_Search_URL, Search Page, Start Page
    • data: http://h1.rip{Removed}.com/poojasharma/index.html
    • This page is used as the default Internet Explorer Page, as well as the default search page.

  • It uses the following mutex:
    • _!MSFTHISTORY!_

  • It tries to access the following URL:
    • h1.rip[removed].com

    Recommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.