TROJ_YAB.A

Malware type: Trojan

Aliases: PWS-Pksob (McAfee), TR/Crypt.FKM.Gen (Avira),

In the wild: No

Destructive: No

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 

This Trojan drops a malicious file in the Windows directory which runs every time an EXE file executes. It disguises itself as an application that connects the user to sites of different antivirus software and links to latest virus news and information.

For additional information about this threat, see:

Description created: Sep. 26, 2002 2:04:54 PM GMT -0800
Description updated: Sep. 26, 2002 3:20:10 PM GMT -0800


TECHNICAL DETAILS


Size of malware: Setup file - 138,763 Bytes

Initial samples received on: Sep 26, 2002

Details:

Upon execution of the setup file, this malware drops the following files in the current directory:

  • CONTENT.HTM
  • EMBLEM-PK.JPG
  • FPHOVER.CLASS
  • FPHOVERX.CLASS
  • KASPERSKY.HTM
  • MAIN.HTM
  • MENU.HTM
  • PK.GIF
  • SNP.HTM
  • SOPHOS.HTM
  • TOP.HTM
  • TREND.HTM
  • PVIC.EXE

The dropped HTML (Hypertext Markup Language) files are non-malicious and directs the target user to different sites of antivirus software. Similarly, dropped files with JPG and GIF extensions do not contain malicious instructions.

The file PVIC.EXE, on the other hand, opens the dropped HTML files and does not appear to be malicious.

The setup file contains an accompanying readme text file which states that the abovementioned dropped files may be deleted if the user opts to uninstall the software. However, it does not mention the following dropped files in the Windows directory:

  • SPOOL32.EXE
  • MMTASK.EXE
  • WINFILE64.DLL

Trend Micro detects SPOOL32.EXE and MMTASK.EXE as TROJ_YAB.A while WINFILE64.DLL merely appears to be a non-malicious file. Note that the first two files are not copies of the setup file.

This Trojan then adds autorun registry entries to enable the automatic execution of the files, SPOOL32.EXE and MMTASK.EXE every Windows startup. It modifies the registry as follows:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
�Spooler Sub System Process�= "%WINDOWS%\SPOOL32.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
�SchedulingAgant� = "MMTASK.EXE�

While the following registry modifications enable this Trojan to execute every time an EXE file is run:

HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ""%WINDOWS%\SPOOL32" %1 %*"

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\
shell\open\command
(Default) = ""%WINDOWS%\SPOOL32" %1 %*"

The virus codes indicate the presence of an SMTP (Simple Mail Transfer Protocol) engine for sending email. Although this indication was spotted in the codes, this Trojan does not appear to be capable of mass-mailing.

The virus codes also indicate that this Trojan connects to certain existing and non-existing Web sites. The existing sites do not seem to be malicious although they are maintained by known hackers.

It is written in Microsoft Visual C%20%20.

Revision History:

First pattern file version: 1.354.37
First pattern file release date: Sep 26, 2002

SOLUTION


Minimum scan engine version needed: 7.500

Pattern file needed: 3.580.02

Pattern release date: Jul 19, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as TROJ_YAB.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier as TROJ_YAB.A.

  1. Open Windows Task Manager.
    On Windows 9x/ME systems, press
    CTRL%20ALT%20DELETE
    On Windows NT/2000/XP systems, press
    CTRL%20SHIFT%20ESC, and click the Processes tab.
  2. In the list of running programs*, locate the malware file or files detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 9x/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Addressing Registry Shell Spawning

Registry shell spawning executes the malware when a user tries to run an EXE, a PIF, a COM, a BAT, or an HTA file. The following procedures should restore the registry to its original settings.

  1. Click Start>Run.
  2. In the Open input box, type:
    command /c copy %Windows%\regedit.exe regedit.com | regedit.com
  3. Press Enter.
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>exefile>shell>open>command
  5. In the right panel, locate the registry entry:
    Default
  6. Check whether its value is the path and filename of the malware file.
  7. If the value is the malware file, right-click Default and select Modify to change its value.
  8. In the Value data input box, delete the existing value and type the default value:
    "%1" %*
  9. Close Registry Editor.
  10. Click Start>Run, then type:
    command /c del %Windows%\regedit.com
  11. Press Enter.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

  1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  3. In the right panel, locate and delete these entries:
    �SchedulingAgant� = "MMTASK.EXE�
    �Spooler Sub System Process�= "%WINDOWS%\SPOOL32.EXE�
    *Where %Windows% is the Windows directory, which is usually C:\Windows or C:\WINNT.
  4. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as TROJ_YAB.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.