sobota 25. února 2012

Worm:Win32/Yimfoca


Encyclopedia entry
Updated: Apr 19, 2011  |  Published: Apr 07, 2011

Aliases
  • Win-Trojan/Buzus.87552.AY (AhnLab)
  • IM-Worm.Win32.Yahos.ij (Kaspersky)
  • Worm.Yimfoca!qyIKPJ+HxCs (VirusBuster)
  • Generic.Palevo.1.DC20DA44 (BitDefender)
  • Win32/Koobface.ACG (CA)
  • Worm.Win32.Slenfbot (Ikarus)
  • W32.Yimfoca (Symantec)
  • WORM_IMBOT.ZT (Trend Micro)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.332.0
Released: Feb 24, 2012
Detection initially created:
Definition: 1.93.731.0
Released: Oct 29, 2010


 

Summary

Worm:Win32/Yimfoca spreads via common instant messaging applications and social networking sites. It is capable of connecting to a remote HTTP or IRC server to receive updated configuration data. It also modifies certain system and security settings.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    %windir%\nvsvc32.exe
  • The presence of the following registry modifications:
    In subkeys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    Sets value: "NVIDIA driver monitor"
    With data: "%windir%\nvsvc32.exe"

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
    Sets value: "NVIDIA driver monitor"
    With data: "%windir%\nvsvc32.exe"
  • Your Internet browser may open to the social networking site Myspace without your interaction.


 

Technical Information (Analysis)

Worm:Win32/Yimfoca spreads via common instant messaging applications and social networking sites. It is capable of connecting to a remote HTTP or IRC server to receive updated configuration data. It also modifies certain system and security settings.
Installation
Worm:Win32/Yimfoca drops a copy of itself as the following file:
  • %windir%\nvsvc32.exe
It creates the following mutex to prevent more than one instance of itself from running at a time:
  • Nvidia Drive Mon
It adds the following registry entries so that it can run every time Windows starts:
In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"
After Worm:Win32/Yimfoca drops and installs a copy of itself, it opens a new Internet browser window to the "Browse" page of the social networkMyspace and then terminates while its dropped copy continues running.
Spread via...
Instant Messaging programs and social networks
Worm:Win32/Yimfoca spreads by sending malicious web links to the affected user's contacts in any of the following instant messaging applications:
  • AOL Instant Messenger
  • MSN Messenger
  • Skype
  • Yahoo! Messenger

It also posts malicious web links to the user's friends on the social networking site Facebook
It uses social engineering tricks to entice the users into running the malware. For instance, it may pose as a link to a photo or a video.
Payload
Modifies security settings
Worm:Win32/Yimfoca modifies Windows Firewall settings to gain access to the Internet. It does this by adding the following registry entry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%windir%\nvsvc32.exe"
With data: "%windir%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"
Terminates and disables services and processes
Worm:Win32/Yimfoca attempts to stop and disable Windows Automatic Updates and the Microsoft Antimalware service by running the following commands:
net stop wuauserv
net stop MsMpSvc
sc config wuauserv start = disabled
sc config MsMpSvc start = disabled
In addition, if it finds the Microsoft Security Essentials process running in the computer, it attempts to terminate this process and deletes the associated process file.
Connects to a remote server
Worm:Win32/Yimfoca has been observed attempting to connect to any of the following servers using predefined ports:
  • 142.45.183.2
  • 142.45.183.239
  • 142.45.183.241
  • 142.45.183.244
  • 142.45.183.248
  • 142.45.183.249
  • 142.45.183.252
  • 142.45.183.254
  • 142.45.183.3
  • 142.45.183.7
  • 142.45.183.8
  • 142.45.184.1
  • 142.45.184.10
  • 142.45.184.12
  • 142.45.184.240
  • 142.45.184.243
  • 142.45.184.248
  • 142.45.184.253
  • 142.45.184.254
  • 142.45.184.3
  • 142.45.184.4
  • 142.45.184.5
  • 142.45.185.0
  • 142.45.185.10
  • 142.45.185.11
  • 142.45.185.12
  • 142.45.185.13
  • 142.45.185.251
  • 142.45.185.252
  • 142.45.185.3
  • 142.45.185.9
  • 142.45.186.0
  • 142.45.186.11
  • 142.45.186.13
  • 142.45.186.2
  • 142.45.186.241
  • 142.45.186.243
  • 142.45.186.245
  • 142.45.186.252
  • 142.45.186.253
  • 142.45.186.254
  • 174.37.200.82
  • 239.160.147.53
The remote computers above may contain an HTTP server, an IRC server, or both. If Worm:Win32/Yimfoca successfully establishes a connection with any of these servers, it receives configuration data, such as templates that it uses as the message when propagating.
Some servers that it includes in its propagation messages are:
  • ialongsdor.net
  • alynnprel.net
These servers are known to host copies of this worm.
Analysis by Gilou Tenebro

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.