search

WORM_YAHLOVER.LJ

October 09, 2012
 Analysis by: Erika Bianca Mendoza
 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Copies itself in all available physical drives, Propagates via instant messaging applications, Propagates via removable drives


This worm arrives by connecting affected removable drives to a system. It arrives by accessing affected shared networks. It may be unknowingly downloaded by a user while visiting malicious websites.

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy. It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

It disables Task Manager, Registry Editor, and Folder Options.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

614,400 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

04 Nov 2011

Payload:

Terminates processes

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives by accessing affected shared networks.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

  • {install directory}\system3_.exe

It drops the following files:

  • {install directory}\autorun.ini - copy of autorun.inf
  • %Windows%\Tasks\At1.job

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy.

It uses the default Windows folder icon to trick users into opening the file. Double-clicking the file executes this malware.

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Yahoo Messengger = "{install directory}\system3_.exe"

The scheduled task executes the malware every:

  • 9:00 AM

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "0"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "{URL}"

(Note: The default value data of the said registry entry is {user defined value}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Search_URL = "{URL}"

(Note: The default value data of the said registry entry is {user defined value}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Default_Page_URL = "{URL}"

(Note: The default value data of the said registry entry is {user defined value}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
Search Page = "{URL}"

(Note: The default value data of the said registry entry is {user defined value}.)

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NofolderOptions = "1"

Propagation

This worm searches for folders in all physical and removable drives then drops copies of itself inside the folder as {folder name}.EXE.

It drops the following copy of itself in all physical and removable drives:

  • New Folder.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[Autorun]
Shell\Open\command={malware filename}.exe
Shell=Open

It sends the following messages using the aforementioned Instant Messaging applications:

happy valentine day screen saver from http://{BLOCKED}gle. 0catch. com/love.scr and get new tips and tricks from URL
happy valentine day screen saver and beautiful screen saver from lovers http://{BLOCKED}gle. 0catch. com/love.scr and URL
golden lovers rose screen saver from http://{BLOCKED}gle. 0catch. com/love.scr and see more from URL
rose is always red ,see in http://{BLOCKED}gle. 0catch. com/love.scr screen saver from URL
happy valentine day screen saver from http://{BLOCKED}gle.0catch. com/love.scr and get new tips and tricks from URL
I LOVE YOUUUUUUUUUUUUU from screensaver http://{BLOCKED}gle. 0catch. com/love.scr see more in URL happy valentine day screen saver from http://{BLOCKED}gle. 0catch. com/love.scr and get new tips and tricks from URL
happy valentine day screen saver from http://{BLOCKED}gle. 0catch. com/love.scr and get new tips and tricks for lovers URL
happy valentine day screen saver from http://{BLOCKED}gle. 0catch. com/love.scr and view secrets from private cam BIN
happy valentine day screen saver from http://{BLOCKED}gle. 0catch. com/love.scr and view secrets from private cam BIN

It sends messages that contain links to sites hosting remote copies of itself using the following instant-messaging (IM) applications:

  • Yahoo Messenger
  • Google Talk

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

  • game_y.exe
  • cmd.exe

NOTES:

Upon execution, the malware checks the OS version of the affected machine. If it is Windows Vista, it sets the install directory to %Desktop% or %User Temp%.

If the worm is not running on Windows Vista, the install directory is set to %System% or %Windows%.

It modifies the registry to change the start page/search page of the browser:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Start Page = {URL}
Default_Page_URL = {URL}
Default_Search_URL = {URL}
Search Page = {URL}

where {URL} can be any of the following:

  • http://www.{BLOCKED}mworld.50webs.com
  • http://www.{BLOCKED}gle.blogspot.com

This worm enumerates shared drives by checking the value from following registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares

It then copies itself to the shared drive as New Folder.exe. It also copies its corresponding AUTORUN.INF to automatically execute the worm.

It terminates processes of applications with the following Window Names:

  • [FireLion]
  • Bkav2006
  • Registry
  • System Configuration
  • Windows Task

  SOLUTION

Minimum Scan Engine:

9.200

FIRST VSAPI PATTERN FILE:

8.547.01

FIRST VSAPI PATTERN DATE:

04 Nov 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Restore modified and/or deleted registry value/s using this VBScirpt

To restore the modified and/or deleted registry value/s:

  1. Open Notepad.
    » For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run. In the Open input box, type notepad then press Enter.
    » For Windows Vista and Windows 7 users, click Start, type notepad in the Search input field then press Enter.
  2. Copy and paste the following script:
  3. Save this file as C:\RESTORE.VBS.
  4. Run C:\RESTORE.VBS.
    » For Windows 2000, XP, and Server 2003 users, click Start>Run. In the Open input box, type C:\RESTORE.VBS then press Enter.
    » For Windows Vista and Windows 7 users, click Start, type C:\RESTORE.VBS in the Search input field then press Enter.

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Yahoo Messengger = {install directory}\system3_.exe
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
    • AtTaskMaxHours = 0

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • From: Start Page = {URL}
      To: Start Page = {user defined value}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
    • From: Search Page = {URL}
      To: Search Page = {user defined value}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
    • From: Default_Page_URL = {URL}
      To: Default_Page_URL = {user defined value}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
    • From: Default_Search_URL = {URL}
      To: Default_Search_URL = {user defined value}

Step 6

Search and delete AUTORUN.INF files created by WORM_YAHLOVER.LJ that contain these strings

[ Learn More ]


[Autorun]
Shell\Open\command={malware filename}.exe
Shell=Open

Step 7

Search and delete this file

[ Learn More ]
There may be some component files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden files and folders in the search result.
  • {install directory}\autorun.ini
  • %Windows%\Tasks\At1.job

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_YAHLOVER.LJ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

RECOMMENDATIONS

This malware is detected and removed by the latest Trend Micro anti-malware engine and pattern. Always keep pattern files and engines up-to-date. To know more about updating your Trend Micro product's pattern, please refer to the following Trend Micro support page:


Note: The steps apply for specific products indicated in the page.

To actively detect and protect your machine, enable real-time scanning of your Trend Micro anti-malware product. Refer to the following Trend Micro support page to know more about enabling real-time scanning in your Trend Micro product:

To enable Firewall to protect against threats: How do I enable or disable the Personal Firewall of Trend Micro Internet Security?

  • Be aware of social engineering attacks.
  • Avoid accessing the listed malicious URLs to prevent possible re-infection.
  • Avoid visiting untrusted sites that may redirect or download malware into the system.
  • Monitor network connections for any suspicious connection or connectivity.
  • Regularly update list of untrusted websites.
  • Avoid opening email attachments and clicking links in an email from unknown sources.
  • Block any file with more than one file type extension.
  • Disable AutoPlay to avoid automatic execution of executable files in removable drives.
  • Disconnect drives when not needed. If write access is not required, enable read-only mode only.


Did this description help? Tell us how we did.