Yahos Worm Spreading in the Wild

August 12, 2010

SonicWALL UTM Research team received reports of a new variant of Yahos worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AOL, Skype and MSN as well as in Social Networking site- Facebook. It also includes IRC-based backdoor capability to receive instructions from remote server.

Installation:

Drops a copy of itself:

  • %Windows%jusched.exe - [ detected as GAV: Yahos.BA (Worm) ]

Drops the following files:

  • C:sssA1234567890.exe - [ detected as GAV: Yahos.BA_2 (Trojan) ]
  • C:WINDOWSsystem32rrrc.yeo - [ detected as GAV: Oficla_14 (Trojan) ]

Downloads related Malware:

  • C:WINDOWSsystem328c.html - [ detected as GAV: Kryptik.EVL (Trojan) ]
  • %User Profile%fow.exe - [ detected as GAV: Kryptik.CLM (Trojan) ]
  • %User Profile%secupdat.dat - [ detected as GAV: Cetorp.P_3 (Backdoor) ]
  • C:WINDOWSsystem32secupdat.dat - [ detected as GAV: Cetorp.P_3 (Backdoor) ]

Creates Mutex to ensure that only one instance of the application runs in the system:

  • Micro Upe

(Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT. %User Profile% is the User folder, which is usually C:Documents and Settings{Current User})

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
    Value: "Java developer Script Browse"
    Data: ""C:WINDOWSjusched.exe""
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
    Value: "Java developer Script Browse"
    Data: ""C:WINDOWSjusched.exe""
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
    Value: "Java developer Script Browse"
    Data: ""C:WINDOWSjusched.exe""

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList]
    Value: "C:WINDOWSjusched.exe"
    Data: "C:WINDOWSjusched.exe:*:Enabled:Java developer Script Browse"

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote server to receive further instruction:
    Remote Server: ptf.messenger-update.su

    screenshot

    screenshot

    This worm will also join the following IRC Channel to receive instruction:

    • #!gf!

    The screenshot below shows the IRC communication:

    screenshot

Backdoor Functionality:

  • Spread via instant messaging
  • Update itself
  • Remove itself
  • Download and execute files

Network Activity:

This worm may download files and updates from the following addresses:

  • 95.211.130.132
  • 212.95.32.52
  • rgtryhbgddtyh.biz
  • wertdghbyrukl.ch

Propagation:

This worm propagates via the following platforms:

    Instant Messaging Application:

    • AOL
    • MSN
    • Skype
    • Yahoo Messenger

      screenshot

      screenshot

    Social Networking site:

    • Facebook

Other System Modification:

Terminates the following services:

  • Microsoft Malware Protection Service - MsMpSvc
  • Windows AutoUpdate Service - wuauserv

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

  • GAV: Yahos.BA (Worm)
  • GAV: Yahos.BA_2 (Trojan)
  • GAV: Oficla_14 (Trojan
  • GAV: Kryptik.EVL (Trojan)
  • GAV: Kryptik.CLM (Trojan)
  • GAV: Cetorp.P_3 (Backdoor)

screenshot