Content

W32/YahLover.worm

Type
Virus
SubType
Worm
Discovery Date
09/05/2006
Length
Varies
Minimum DAT
4845 (09/05/2006)
Updated DAT
Low
Home User
Low

Tab Navigation

Characteristics

----------- Updated on Jan-30-2012 ------------

“W32/YahLover.worm” is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.

Also it disables system processes like Task manager, Registry editor and Folder options

When executed the worm copies itself into the following location:

  • %Windir%\system32\regsvr.exe
  • %Windir%\system32\svchost .exe
  • %Windir%\regsvr.exe
  • :[Removable Drive]:\New Folder .exe
  • :[Removable Drive]:\regsvr.exe

The following files have been added to the system.

  • %Windir%\system32\28463\svchost.001
  • %Windir%\Tasks\At1.job
  • %Windir%\system32\setup.ini
  • %Windir%\system32\setting.ini

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [Autorun]
  • Open=regsvr.exe
  • Shellexecute=regsvr.exe
  • Shell\Open\command=regsvr.exe
  • Shell=Open

The following registry key has been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared = "\New Folder .exe"
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001

The above mentioned registry ensures that, the worm disables system processes like Task manager, Registry editor and Folder options.

  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
    Msn Messsenger = "%Windir%\system32\regsvr.exe"

The above mentioned registry ensures that, the worm registers run entry with the compromised system and execute itself upon every boot.

The following registry values have been modified to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe regsvr.exe"

The above mentioned registry ensures that, the worm registers with the compromised system and execute itself upon every boot.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId = 0x00000002

It following folder has been added to the system.

  • %Windir%\system32\28463

 

----------- Updated Jan-29-2011 ------------

File Information -

MD5 - 3A15F65F7447161F018513D71847F890
SHA1 - B3A7F22C47BF3D9CA2AA33F604D663DD0BA41A46

Aliases -

    • Comodo   - Worm.Win32.AutoIt.~NUP
    • Microsoft - Worm:Win32/Sohanad.AQ
    • Kaspersky - Worm.Win32.AutoIt.ch
    • Ikarus - Worm.Win32.AutoIt

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.
Also it disables system processes like Task manager, Registry editor and Folder options

Upon execution, the worm connects to the site “rnd009. [removed]ges.com” through port 80 to download malicious files.

The Worm copies iteself into the following location.

    • %Windir%\system32\ gphone.exe
    • %Windir%\ gphone.exe

The following files have been dropped

    • %Windir%\system32\autorun.ini
    • %Windir%\Tasks\At1.job

The worm attempts to spread by creating an autorun.ini file, which will run the worm automatically on systems which use the drives that are set to Autorun.

The following registry Keys has been added

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_USERS\S-1- [Varies]\Software\Policies\Microsoft\Internet Explorer\Control Panel

The following registry Values have been added

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours = 0x00000000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours = 0x00000000

The worm spread to other mapped drives, such as network shares and removable drives, by executing the following registry entry.

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared = "\New Folder.exe"

The following registry confirms that, the worm disables Regedit, Folder Options in Windows Explorer, and Task Manager Options.

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions = 0x00000001
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr =  0x00000001
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001

The below registry confirms that, "gphone.exe" executes every time when windows starts

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "%Windir%\System32\gphone.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe gphone.exe"
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\NextAtJobId = 0x00000002

The following registry values has been modified

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = <RND009. [removed]ges.com google.html>

After execution this worm changes the browser home page with the site name "rnd009.[removed]ges.com/google.html"

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
-----------------

----------------------- Updated June-26-2010 -----------------------

File Information -

MD5 - E3FFC5B9371B3B287B1243A6D3787A80
SHA1 - 80E3886BC3F879C9D848FAE16446C77F4EE2D417

Aliases -

    • Kaspersky   - Trojan.Win32.KillAV.ayh
    • Microsoft - Worm:Win32/Sohanad.I
    • Norman - W32/Obfuscated.H3!genr
    • Symantec - W32.Imaut.A

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.
It sends a message to all of the infected user's contacts with a link to a copy of itself.

Upon execution, the worm connects to the following site “setting3.[removed]mb.com” through port 80 to download malicious files.

The Worm copies iteself into the following location.

    • %Windir%\system32\SCVVHSOT.exe [Detected as W32/YahLover.worm]
    • %Windir%\system32\blastclnnn.exe [Detected as W32/YahLover.worm]
    • %Windir%\SCVVHSOT.exe [Detected as W32/YahLover.worm]

The following files have been dropped

    • %Windir%\system32\autorun.ini [Detected as W32/Hakaglan.inf]
    • %Windir%\system32\setting.ini
    • %Windir%\Tasks\At1.job
    • %UserProfile%\ Local Settings\Temporary Internet Files\Content.IE5\2NVJ9NG7\abuseFrozen[1].htm

The worm attempts to spread by creating an autorun.ini file, which will run the worm automatically on systems which use the drives that are set to Autorun.

The following registry Keys has been added

    • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry Values have been added

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\]
      AtTaskMaxHours =

 The worm spread to other mapped drives, such as network shares and removable drives, by executing the following registry entry.

    • [HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\]
      shared = "\New Folder.exe"

The following registry confirms that, the worm disables the Folder Options in Windows Explorer, and Task Manager Options.

    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
      NofolderOptions = 0x00000001
    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
      DisableTaskMgr =  0x00000001
      DisableRegistryTools = 0x00000001

The below registry confirms that, "Scvvhsot.exe" executes every time when windows starts

    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
      Yahoo Messengger = "%Windir%\System32\SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
      Shell = "Explorer.exe SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\]
      NextAtJobId = 0x00000002

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%UserProfile%\ = C:\Documents and Settings\[UserName]\Local Settings

-----------------------

Update December 7, 2007

McAfee Avert Labs has found a false detection with W32/Yahlover.worm and will be releasing the 5181 DAT Files to correct this issue.  The false detection is being seen on certain AutoIT 3.2.2.0 compiled executables.


The worm changes the custom "away" message in yahoo messenger to point to its download location.

Files Added

  • %WINDIR%\taskmng.exe 

Later variants may also add the following file:

  • %SYSDIR%\Autorun.ini

Registry

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \task manager="%WINDIR%\taskmng.exe"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disableregistrytools="1"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disabletaskmgr="1"
  • hkey_current_user\software\yahoo\pager\view\ymsgr_launchcast\content url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\yahoo\pager\view\ymsgr_buzz\content
    url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main\start
    page=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main
    \window title="[Random]"

The URLs pointed by the registry vary with diferrent variants, some of the URLs are

  • http[dot]//VuiVeVN.HP[blocked]
  • http[dot]//minhnhut.[blocked]

 

Symptoms

Method of Infection

Removal

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants

    N/A

All Information

Overview -

Aliases

  • W32/YahLover.worm.a
  • W32/YahLover.worm.gen

Characteristics

Characteristics -

----------- Updated on Jan-30-2012 ------------

“W32/YahLover.worm” is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.

Also it disables system processes like Task manager, Registry editor and Folder options

When executed the worm copies itself into the following location:

  • %Windir%\system32\regsvr.exe
  • %Windir%\system32\svchost .exe
  • %Windir%\regsvr.exe
  • :[Removable Drive]:\New Folder .exe
  • :[Removable Drive]:\regsvr.exe

The following files have been added to the system.

  • %Windir%\system32\28463\svchost.001
  • %Windir%\Tasks\At1.job
  • %Windir%\system32\setup.ini
  • %Windir%\system32\setting.ini

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [Autorun]
  • Open=regsvr.exe
  • Shellexecute=regsvr.exe
  • Shell\Open\command=regsvr.exe
  • Shell=Open

The following registry key has been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared = "\New Folder .exe"
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 0x00000000
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001

The above mentioned registry ensures that, the worm disables system processes like Task manager, Registry editor and Folder options.

  • [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Run]
    Msn Messsenger = "%Windir%\system32\regsvr.exe"

The above mentioned registry ensures that, the worm registers run entry with the compromised system and execute itself upon every boot.

The following registry values have been modified to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe regsvr.exe"

The above mentioned registry ensures that, the worm registers with the compromised system and execute itself upon every boot.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\NextAtJobId = 0x00000002

It following folder has been added to the system.

  • %Windir%\system32\28463

 

----------- Updated Jan-29-2011 ------------

File Information -

MD5 - 3A15F65F7447161F018513D71847F890
SHA1 - B3A7F22C47BF3D9CA2AA33F604D663DD0BA41A46

Aliases -

    • Comodo   - Worm.Win32.AutoIt.~NUP
    • Microsoft - Worm:Win32/Sohanad.AQ
    • Kaspersky - Worm.Win32.AutoIt.ch
    • Ikarus - Worm.Win32.AutoIt

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.
Also it disables system processes like Task manager, Registry editor and Folder options

Upon execution, the worm connects to the site “rnd009. [removed]ges.com” through port 80 to download malicious files.

The Worm copies iteself into the following location.

    • %Windir%\system32\ gphone.exe
    • %Windir%\ gphone.exe

The following files have been dropped

    • %Windir%\system32\autorun.ini
    • %Windir%\Tasks\At1.job

The worm attempts to spread by creating an autorun.ini file, which will run the worm automatically on systems which use the drives that are set to Autorun.

The following registry Keys has been added

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_USERS\S-1- [Varies]\Software\Policies\Microsoft\Internet Explorer\Control Panel

The following registry Values have been added

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours = 0x00000000
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours = 0x00000000

The worm spread to other mapped drives, such as network shares and removable drives, by executing the following registry entry.

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shared = "\New Folder.exe"

The following registry confirms that, the worm disables Regedit, Folder Options in Windows Explorer, and Task Manager Options.

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions = 0x00000001
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr =  0x00000001
    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 0x00000001

The below registry confirms that, "gphone.exe" executes every time when windows starts

    • HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "%Windir%\System32\gphone.exe"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe gphone.exe"
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\NextAtJobId = 0x00000002

The following registry values has been modified

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = <RND009. [removed]ges.com google.html>

After execution this worm changes the browser home page with the site name "rnd009.[removed]ges.com/google.html"

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
-----------------

----------------------- Updated June-26-2010 -----------------------

File Information -

MD5 - E3FFC5B9371B3B287B1243A6D3787A80
SHA1 - 80E3886BC3F879C9D848FAE16446C77F4EE2D417

Aliases -

    • Kaspersky   - Trojan.Win32.KillAV.ayh
    • Microsoft - Worm:Win32/Sohanad.I
    • Norman - W32/Obfuscated.H3!genr
    • Symantec - W32.Imaut.A

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.
It sends a message to all of the infected user's contacts with a link to a copy of itself.

Upon execution, the worm connects to the following site “setting3.[removed]mb.com” through port 80 to download malicious files.

The Worm copies iteself into the following location.

    • %Windir%\system32\SCVVHSOT.exe [Detected as W32/YahLover.worm]
    • %Windir%\system32\blastclnnn.exe [Detected as W32/YahLover.worm]
    • %Windir%\SCVVHSOT.exe [Detected as W32/YahLover.worm]

The following files have been dropped

    • %Windir%\system32\autorun.ini [Detected as W32/Hakaglan.inf]
    • %Windir%\system32\setting.ini
    • %Windir%\Tasks\At1.job
    • %UserProfile%\ Local Settings\Temporary Internet Files\Content.IE5\2NVJ9NG7\abuseFrozen[1].htm

The worm attempts to spread by creating an autorun.ini file, which will run the worm automatically on systems which use the drives that are set to Autorun.

The following registry Keys has been added

    • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry Values have been added

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\]
      AtTaskMaxHours =

 The worm spread to other mapped drives, such as network shares and removable drives, by executing the following registry entry.

    • [HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\]
      shared = "\New Folder.exe"

The following registry confirms that, the worm disables the Folder Options in Windows Explorer, and Task Manager Options.

    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
      NofolderOptions = 0x00000001
    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
      DisableTaskMgr =  0x00000001
      DisableRegistryTools = 0x00000001

The below registry confirms that, "Scvvhsot.exe" executes every time when windows starts

    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
      Yahoo Messengger = "%Windir%\System32\SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
      Shell = "Explorer.exe SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\]
      NextAtJobId = 0x00000002

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%UserProfile%\ = C:\Documents and Settings\[UserName]\Local Settings

-----------------------

Update December 7, 2007

McAfee Avert Labs has found a false detection with W32/Yahlover.worm and will be releasing the 5181 DAT Files to correct this issue.  The false detection is being seen on certain AutoIT 3.2.2.0 compiled executables.


The worm changes the custom "away" message in yahoo messenger to point to its download location.

Files Added

  • %WINDIR%\taskmng.exe 

Later variants may also add the following file:

  • %SYSDIR%\Autorun.ini

Registry

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \task manager="%WINDIR%\taskmng.exe"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disableregistrytools="1"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disabletaskmgr="1"
  • hkey_current_user\software\yahoo\pager\view\ymsgr_launchcast\content url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\yahoo\pager\view\ymsgr_buzz\content
    url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main\start
    page=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main
    \window title="[Random]"

The URLs pointed by the registry vary with diferrent variants, some of the URLs are

  • http[dot]//VuiVeVN.HP[blocked]
  • http[dot]//minhnhut.[blocked]

 

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

Variants

Variants -

    N/A