Yahos Worm Spreading in the Wild (Aug 12, 2010)

SonicWALL UTM Research team received reports of a new variant of Yahos worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AOL, Skype and MSN as well as in Social Networking site- Facebook. It also includes IRC-based backdoor capability to receive instructions from remote server.

Installation:

Drops a copy of itself:

• %Windows%jusched.exe – [ detected as GAV: Yahos.BA (Worm) ]

Drops the following files:

• C:sssA1234567890.exe – [ detected as GAV: Yahos.BA_2 (Trojan) ]
• C:WINDOWSsystem32rrrc.yeo – [ detected as GAV: Oficla_14 (Trojan) ]

Downloads related Malware:

• C:WINDOWSsystem328c.html – [ detected as GAV: Kryptik.EVL (Trojan) ]
• %User Profile%fow.exe – [ detected as GAV: Kryptik.CLM (Trojan) ]
• %User Profile%secupdat.dat – [ detected as GAV: Cetorp.P_3 (Backdoor) ]
• C:WINDOWSsystem32secupdat.dat – [ detected as GAV: Cetorp.P_3 (Backdoor) ]

Creates Mutex to ensure that only one instance of the application runs in the system:

• Micro Upe

(Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT. %User Profile% is the User folder, which is usually C:Documents and Settings{Current User})

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

• Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
  Data: “”C:WINDOWSjusched.exe””
• Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
  Data: “”C:WINDOWSjusched.exe””
• Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun] Value: “Java developer Script Browse”
  Data: “”C:WINDOWSjusched.exe””

Adds following registry entry to bypass firewall restrictions:

• Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “C:WINDOWSjusched.exe”
  Data: “C:WINDOWSjusched.exe:*:Enabled:Java developer Script Browse”

Command & Control (C&C) Server connection:

Upon successful installation, it tries to connect to a remote server to receive further instruction:
Remote Server: ptf.messenger-update.su





This worm will also join the following IRC Channel to receive instruction:

• #!gf!

The screenshot below shows the IRC communication:

Backdoor Functionality:

• Spread via instant messaging
• Update itself
• Remove itself
• Download and execute files

Network Activity:

This worm may download files and updates from the following addresses:

• 95.211.130.132
• 212.95.32.52
• rgtryhbgddtyh.biz
• wertdghbyrukl.ch

Propagation:

This worm propagates via the following platforms:

Instant Messaging Application:
• AOL
• MSN
• Skype
• Yahoo Messenger





Social Networking site:

• Facebook

Other System Modification:

Terminates the following services:

• Microsoft Malware Protection Service – MsMpSvc
• Windows AutoUpdate Service – wuauserv

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

• GAV: Yahos.BA (Worm)
• GAV: Yahos.BA_2 (Trojan)
• GAV: Oficla_14 (Trojan
• GAV: Kryptik.EVL (Trojan)
• GAV: Kryptik.CLM (Trojan)
• GAV: Cetorp.P_3 (Backdoor)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.