Content

W32/YahLover.worm

Type
Virus
SubType
Worm
Discovery Date
09/05/2006
Length
Varies
Minimum DAT
4845 (09/05/2006)
Updated DAT
6083 (08/23/2010)
Minimum Engine
5.3.00
Description Added
09/18/2006
Description Modified
06/25/2010 7:22 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

----------------------- Updated June-26-2010 -----------------------

File Information -

MD5 - E3FFC5B9371B3B287B1243A6D3787A80
SHA1 - 80E3886BC3F879C9D848FAE16446C77F4EE2D417

Aliases -

    • Kaspersky   - Trojan.Win32.KillAV.ayh
    • Microsoft - Worm:Win32/Sohanad.I
    • Norman - W32/Obfuscated.H3!genr
    • Symantec - W32.Imaut.A

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.
It sends a message to all of the infected user's contacts with a link to a copy of itself.

Upon execution, the worm connects to the following site “setting3.[removed]mb.com” through port 80 to download malicious files.

The Worm copies iteself into the following location.

    • %Windir%\system32\SCVVHSOT.exe [Detected as W32/YahLover.worm]
    • %Windir%\system32\blastclnnn.exe [Detected as W32/YahLover.worm]
    • %Windir%\SCVVHSOT.exe [Detected as W32/YahLover.worm]

The following files have been dropped
    • %Windir%\system32\autorun.ini [Detected as W32/Hakaglan.inf]
    • %Windir%\system32\setting.ini
    • %Windir%\Tasks\At1.job
    • %UserProfile%\ Local Settings\Temporary Internet Files\Content.IE5\2NVJ9NG7\abuseFrozen[1].htm

The worm attempts to spread by creating an autorun.ini file, which will run the worm automatically on systems which use the drives that are set to Autorun.

The following registry Keys has been added

    • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry Values have been added

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\]
      AtTaskMaxHours =

 The worm spread to other mapped drives, such as network shares and removable drives, by executing the following registry entry.

    • [HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\]
      shared = "\New Folder.exe"

The following registry confirms that, the worm disables the Folder Options in Windows Explorer, and Task Manager Options.

    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
      NofolderOptions = 0x00000001
    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
      DisableTaskMgr =  0x00000001
      DisableRegistryTools = 0x00000001

The below registry confirms that, "Scvvhsot.exe" executes every time when windows starts
    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
      Yahoo Messengger = "%Windir%\System32\SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
      Shell = "Explorer.exe SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\]
      NextAtJobId = 0x00000002

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%UserProfile%\ = C:\Documents and Settings\[UserName]\Local Settings

-----------------------

Update December 7, 2007

McAfee Avert Labs has found a false detection with W32/Yahlover.worm and will be releasing the 5181 DAT Files to correct this issue.  The false detection is being seen on certain AutoIT 3.2.2.0 compiled executables.

The worm changes the custom "away" message in yahoo messenger to point to its download location.

Files Added

  • %WINDIR%\taskmng.exe 

Later variants may also add the following file:

  • %SYSDIR%\Autorun.ini

Registry

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \task manager="%WINDIR%\taskmng.exe"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disableregistrytools="1"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disabletaskmgr="1"
  • hkey_current_user\software\yahoo\pager\view\ymsgr_launchcast\content url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\yahoo\pager\view\ymsgr_buzz\content
    url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main\start
    page=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main
    \window title="[Random]"

The URLs pointed by the registry vary with diferrent variants, some of the URLs are

  • http[dot]//VuiVeVN.HP[blocked]
  • http[dot]//minhnhut.[blocked]

 

Symptoms

------------ Updated on June-26-2010 -----------------

    • It connects to the following website "free[Removed].com" to perform malicious activity.

-------------------------

  • Presence of aforementioned registry keys and files.
  • A message window (like the one below) automatically appears at frequent interval of times containing the download link.

 

Method of Infection

The worm spreads through passing malicious link to all user names listed in yahoo buddy list.  Later variants may also spread by Autorun.ini files created on removable drives, so that it may be automatically executed on systems where Autorun is enabled. 

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This worm spreads by using Yahoo messenger.  Later variants may also spread by Autorun.ini files created on removable drives, so that it may be automatically executed on systems where Autorun is enabled. 

It sends out download links to all the members in the Yahoo buddy list. Once the link is clicked it uses VB script to download and execute the worm on victim's machine. The VB script is proactively detected as VBS/Psyme with current DATs. Variants of this worm are detected in DATs proactively since DATs 4845 as Generic Startpage.r.

Aliases

  • W32/YahLover.worm.a
  • W32/YahLover.worm.gen

Characteristics

Characteristics -

----------------------- Updated June-26-2010 -----------------------

File Information -

MD5 - E3FFC5B9371B3B287B1243A6D3787A80
SHA1 - 80E3886BC3F879C9D848FAE16446C77F4EE2D417

Aliases -

    • Kaspersky   - Trojan.Win32.KillAV.ayh
    • Microsoft - Worm:Win32/Sohanad.I
    • Norman - W32/Obfuscated.H3!genr
    • Symantec - W32.Imaut.A

W32/YahLover.worm is a worm detection written in AutoIT script that spreads via Yahoo Messenger, removable drives and network shares.
It sends a message to all of the infected user's contacts with a link to a copy of itself.

Upon execution, the worm connects to the following site “setting3.[removed]mb.com” through port 80 to download malicious files.

The Worm copies iteself into the following location.

    • %Windir%\system32\SCVVHSOT.exe [Detected as W32/YahLover.worm]
    • %Windir%\system32\blastclnnn.exe [Detected as W32/YahLover.worm]
    • %Windir%\SCVVHSOT.exe [Detected as W32/YahLover.worm]

The following files have been dropped
    • %Windir%\system32\autorun.ini [Detected as W32/Hakaglan.inf]
    • %Windir%\system32\setting.ini
    • %Windir%\Tasks\At1.job
    • %UserProfile%\ Local Settings\Temporary Internet Files\Content.IE5\2NVJ9NG7\abuseFrozen[1].htm

The worm attempts to spread by creating an autorun.ini file, which will run the worm automatically on systems which use the drives that are set to Autorun.

The following registry Keys has been added

    • HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System

The following registry Values have been added

    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\]
      AtTaskMaxHours =

 The worm spread to other mapped drives, such as network shares and removable drives, by executing the following registry entry.

    • [HKEY_USERS\S-1- [Varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\]
      shared = "\New Folder.exe"

The following registry confirms that, the worm disables the Folder Options in Windows Explorer, and Task Manager Options.

    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
      NofolderOptions = 0x00000001
    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\System\]
      DisableTaskMgr =  0x00000001
      DisableRegistryTools = 0x00000001

The below registry confirms that, "Scvvhsot.exe" executes every time when windows starts
    • [HKEY_USERS\S-1-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\]
      Yahoo Messengger = "%Windir%\System32\SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\]
      Shell = "Explorer.exe SCVVHSOT.exe"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\]
      NextAtJobId = 0x00000002

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%UserProfile%\ = C:\Documents and Settings\[UserName]\Local Settings

-----------------------

Update December 7, 2007

McAfee Avert Labs has found a false detection with W32/Yahlover.worm and will be releasing the 5181 DAT Files to correct this issue.  The false detection is being seen on certain AutoIT 3.2.2.0 compiled executables.

The worm changes the custom "away" message in yahoo messenger to point to its download location.

Files Added

  • %WINDIR%\taskmng.exe 

Later variants may also add the following file:

  • %SYSDIR%\Autorun.ini

Registry

The following registry keys are created:

  • hkey_local_machine\software\microsoft\windows\currentversion\run
    \task manager="%WINDIR%\taskmng.exe"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disableregistrytools="1"
  • hkey_current_user\software\microsoft\windows\currentversion\policies\system\disabletaskmgr="1"
  • hkey_current_user\software\yahoo\pager\view\ymsgr_launchcast\content url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\yahoo\pager\view\ymsgr_buzz\content
    url=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main\start
    page=http[dot]//chendang.net[blocked]
  • hkey_current_user\software\microsoft\internet explorer\main
    \window title="[Random]"

The URLs pointed by the registry vary with diferrent variants, some of the URLs are

  • http[dot]//VuiVeVN.HP[blocked]
  • http[dot]//minhnhut.[blocked]

 

Symptoms

Symptoms -

------------ Updated on June-26-2010 -----------------

    • It connects to the following website "free[Removed].com" to perform malicious activity.

-------------------------

  • Presence of aforementioned registry keys and files.
  • A message window (like the one below) automatically appears at frequent interval of times containing the download link.

 

Method of Infection

Method of Infection -

The worm spreads through passing malicious link to all user names listed in yahoo buddy list.  Later variants may also spread by Autorun.ini files created on removable drives, so that it may be automatically executed on systems where Autorun is enabled. 

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A