WORM_YAHLOVER.K
Worm:Win32/YahLover.C (Microsoft)
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Propagates via removable drives, Propagates via instant messaging applications
If it fails to download the configuration file, this worm downloads a certain file. It saves the downloaded file as %System%\setting.ini.
It expects the downloaded configuration file to contain a list download URLs of possibly malicious files. It saves and executes the file it downloads. As of this writing, the above-mentioned configuration download sites are inaccessible.
It drops copies of itself in all shared folders and removable drives. It then drops an AUTORUN.INF file on the affected folder/drive to automatically execute the dropped copy. This worm also searches for folders in shared folders and removable drives and drops copies of itself inside the folder as {folder name}.exe. It is capable of logging on Yahoo! Messenger using the account of the last user that logged in the application. It then sends messages to the contacts of the user.
This worm arrives by connecting affected removable drives to a system. It arrives by accessing affected shared networks.
It deletes registry entries related to antivirus programs. Doing this allows this malware to execute its routines without being detected by installed antivirus programs.
TECHNICAL DETAILS
667,128 bytes
EXE
Yes
31 Jul 2011
Downloads files, Terminates processes
Arrival Details
This worm arrives by connecting affected removable drives to a system.
It arrives by accessing affected shared networks.
Installation
This worm drops the following non-malicious files:
- %System%\autorun.ini - autostart component
- %System%\setting.ini - configuration file
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %Windows%\scvhost.exe
- %System%\scvhost.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Yahoo Messengger = "%System%\scvhost.exe"
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe scvhost.exe"
(Note: The default value data of the said registry entry is Explorer.exe.)
Other System Modifications
This worm also creates the following registry entry(ies) as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
adv google = "http://{BLOCKED}gle.blogspot.com"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares
shared = "{path of dropped copy in shared folder}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "0"
It deletes the following registry entries related to antivirus and security applications:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
BkavFw =
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
IEProtection =
Propagation
This worm searches for folders in all physical and removable drives then drops copies of itself inside the folder as {folder name}.EXE.
The said .INF file contains the following strings:
[Autorun]
Open=scvhost.exe
Shellexe cute=scvhost.exe
Shell\Open\command=scvhost.exe
Shell=Open
Process Termination
This worm terminates the following processes if found running in the affected system's memory:
- game_y.exe
- cmd.exe
It terminates processes or services that contain any of the following strings if found running in the affected system's memory:
- Bkav2006
- System Configuration
- Registry
- Windows Task
- [FireLion]
Download Routine
This worm connects to the following URL(s) to download its configuration file:
- http://{BLOCKED}gle.0catch.com/setting.nql
- http://{BLOCKED}gle1.0catch.com/setting.nql
NOTES:
If it fails to download the configuration file, it downloads the following instead:
- http://{BLOCKED}gle.0catch.com/setting.xls
- http://{BLOCKED}gle1.0catch.com/setting.xls
It saves the downloaded file as %System%\setting.ini.
It expects the downloaded configuration file to contain a list download URLs of possibly malicious files. It saves and executes the file it downloads as follows:
- %System%\CHECK01.exe
- %System%\CHECK02.exe
- %System%\CHECK03.exe
As of this writing, the above-mentioned configuration download sites are inaccessible.
Propagation
It drops the following copies of itself in all shared folders and removable drives:
- New Folder.exe
- scvhost.exe
It then drops an AUTORUN.INF file on the affected folder/drive to automatically execute the dropped copy.
This worm also searches for folders in shared folders and removable drives and drops copies of itself inside the folder as {folder name}.exe.
It is capable of logging on Yahoo! Messenger using the account of the last user that logged in the application. It then sends any of the following messages to the contacts of the user:
happy valentine day screen saver from http://{BLOCKED}gle.0catch.com/love.scr and get new tips and tricks from http://{BLOCKED}gle.blogspot.com/
I LOVE YOUUUUUUUUUUUUUu from screensaver http://{BLOCKED}gle.0catch.com/love.scr see more inhttp://{BLOCKED}gle.blogspot.com/
golden lovers rose screen saver from http://{BLOCKED}gle.0catch.com/love.scr and see more fromhttp://{BLOCKED}gle.blogspot.com/
happy valentine day screen saver and beautiful screen saver from lovers http://{BLOCKED}gle.0catch.com/love.scr andhttp://{BLOCKED}gle.blogspot.com/
happy valentine day screen saver from http://{BLOCKED}gle.0catch.com/love.scr and get new tips and tricks for lovers from http://{BLOCKED}gle.blogspot.com/
happy valentine day screen saver from http://{BLOCKED}gle.0catch.com/love.scr and get new tips and tricks for lovers http://{BLOCKED}gle.blogspot.com/
happy valentine day screen saver from http://{BLOCKED}gle.0catch.com/love.scr and get new tips and tricks from http://{BLOCKED}gle.blogspot.com/
rose is always red ,see in http://{BLOCKED}gle.0catch.com/love.scr screen saver fromhttp://{BLOCKED}gle.blogspot.com/
The link, http://{BLOCKED}gle.0catch.com/love.scr, may point to a copy of itself. As of this writing, however, it is inaccessible.
SOLUTION
8.900
8.325.00
31 Jul 2011
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Identify and terminate files detected as WORM_YAHLOVER.K
- If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
- If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.
Step 3
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Yahoo Messengger = %System%\scvhost.exe
- Yahoo Messengger = %System%\scvhost.exe
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
- shared = {path of dropped copy in shared folder}
- shared = {path of dropped copy in shared folder}
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- GlobalUserOffline = 0
- GlobalUserOffline = 0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
- AtTaskMaxHours = 0
- AtTaskMaxHours = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- adv google = http://{BLOCKED}gle.blogspot.com
- adv google = http://{BLOCKED}gle.blogspot.com
Step 4
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- From: Shell = Explorer.exe scvhost.exe
To: Shell = Explorer.exe
- From: Shell = Explorer.exe scvhost.exe
Step 5
Search and delete this file
- %System%\autorun.ini
- %System%\setting.ini
- %System%\CHECK01.exe
- %System%\CHECK02.exe
- %System%\CHECK03.exe
Step 6
Search and delete AUTORUN.INF files created by WORM_YAHLOVER.K that contain these strings
[AutoRun]
Open=scvhost.exe
Shellexe cute=scvhost.exe
Shell\Open\command=scvhost.exe
Shell=Open
Step 7
Scan your computer with your Trend Micro product to delete files detected as WORM_YAHLOVER.K. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 8
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
BkavFw
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
IEProtection
Did this description help? Tell us how we did.