Content
W32/Yahlover.worm.gen.e
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 07/31/2008
- Length
- Varies
- Minimum DAT
- 5351 (07/31/2008)
- Updated DAT
- 5407 (10/16/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 07/31/2008
- Description Modified
- 09/01/2008 2:50 AM (PT)
Tab Navigation
Characteristics
The worm copies itself to the following locations (The names may vary)
%WinDir%\hinhem.scr
%WinDir%\scvhost.exe
%WinDir%\system32\blastclnnn.exe
%WinDir%\system32\scvhost.exe
It also attempts to copy itself to network shares.
It creates the following file :
%WinDir%\system32\autorun.ini
Upon exection, the following registry elements are changed :
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
* shell = Explorer.exe scvhost.exe
The worm creates the following registry keys :
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares "Shared" = \New Folder.exe
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System "DisableRegistryTools" = 1
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System "DisableTaskMgr" = 1
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Yahoo Messengger" = %Path of W32/Yahlover.worm.gen.d%
The trojan uses the Windows folder Icon
The worm checks if the machine is connected to Yahoo Messenger and will send messages to all of the Yahoo Messenger contacts are regular intervals with a link to the W32/Yahlover.worm.gen.d
Symptoms
The appearance of the above files and registry entries.
Method of Infection
The worm spreads through passing malicious link to all user names listed in yahoo buddy list and may also spread by Autorun.ini files created on removable drives, so that it may be automatically executed on systems where Autorun is enabled.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This threat is a generic detection for the W32/YahLover.worm which are obfuscated and packaged with AutoIT.
This worm spreads by using Yahoo messenger and by Autorun.ini files created on removable drives, so that it may be automatically executed on systems where Autorun is enabled.
Characteristics
Characteristics -
The worm copies itself to the following locations (The names may vary)
%WinDir%\hinhem.scr
%WinDir%\scvhost.exe
%WinDir%\system32\blastclnnn.exe
%WinDir%\system32\scvhost.exe
It also attempts to copy itself to network shares.
It creates the following file :
%WinDir%\system32\autorun.ini
Upon exection, the following registry elements are changed :
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
* shell = Explorer.exe scvhost.exe
The worm creates the following registry keys :
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares "Shared" = \New Folder.exe
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = 1
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System "DisableRegistryTools" = 1
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\System "DisableTaskMgr" = 1
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Yahoo Messengger" = %Path of W32/Yahlover.worm.gen.d%
The trojan uses the Windows folder Icon
The worm checks if the machine is connected to Yahoo Messenger and will send messages to all of the Yahoo Messenger contacts are regular intervals with a link to the W32/Yahlover.worm.gen.d
Symptoms
Symptoms -
The appearance of the above files and registry entries.
Method of Infection
Method of Infection -
The worm spreads through passing malicious link to all user names listed in yahoo buddy list and may also spread by Autorun.ini files created on removable drives, so that it may be automatically executed on systems where Autorun is enabled.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
