Yimfoca Worm Spreading in the Wild (Jan 4, 2011)


SonicWALL UTM Research team received reports of a new variant of an IM worm spreading in the wild. It propagates through Instant Messaging application such as Yahoo Messenger, AIM, MSN as well as in Social Networking site- Facebook. There were reportedly multiple rogue Facebook applications that were leading to this worm which are now taken down.

Process of Infection:

An unsuspecting user will receive a message to view a picture purportedly hosted in facebook.com through instant messaging application from an infected machine. A sample of the suspicious message sent via MSN looks like below:


Once the user clicks on the link, it will redirect the user to this facebook.com page:


This is a legitimate facebook.com page and typical when one clicks on a third-party link from within facebook. However, when the user clicks the continue button, the user will be directed to the malicious website.

A screenshot of the malicious website is shown below:


The site is designed to appear that the user is still browsing from within facebook, although the URL shows otherwise. It was also made to appear that the picture the user wants to see was moved and needed to click the “View Photo” button to see it. Clicking the button will download the malicious IM worm.


Drops a copy of itself:

  • %Windows% nvsvc32.exe – [ detected as GAV: Yimfoca.AA_3 (Worm) ]

Downloads malware component:

  • C:WINDOWS ndl.dl
  • C:WINDOWSwibrf.jpg
  • C:WINDOWSwiybr.png

Creates Mutex to ensure that only one instance of the application runs in the system:

  • Nvidia Drive Mon

(Note: %Windows% is the Windows folder, which is usually C:Windows or C:WINNT.)

Registry Changes:

It adds the following registry entries to ensure that the dropped copy of the malware starts on every system reboot:

  • Key: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
    Data: “”c:windows nvsvc32.exe””
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
    Data: “”c:windows nvsvc32.exe””
  • Key: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun] Value: “NVIDIA driver monitor”
    Data: “”c:windows nvsvc32.exe””

Adds following registry entry to bypass firewall restrictions:

  • Key: [HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList] Value: “c:windows nvsvc32.exe”
    Data: “c:windows nvsvc32.exe:*:Enabled:NVIDIA driver monitor”

Command & Control (C&C) Server connection:

    Upon successful installation, it tries to connect to a remote server to receive further instruction:
    Remote Server:

    This worm will also join the following IRC Channel to receive instruction:

    • #!nn

    The screenshot below shows the IRC communication:


Backdoor Functionality:

  • Spread via instant messaging
  • Update itself
  • Remove itself
  • Download and execute files

Network Activity:

DNS Request

  • ale.pakibili.com
  • api.albertoshistory.info
  • astro.ic.ac.uk
  • insidehighered.com
  • journalofaccountancy.com
  • mas.0730ip.com
  • stayontime.info
  • transnationale.org
  • versatek.com
  • www.shearman.com

FTP Server:

  • ftp.phoenix-cc.net


This worm propagates via following platforms:

    Instant Messaging Application:

    • AIM
    • MSN
    • Yahoo Messenger

    Social Networking site:

    • Facebook

Other System Modification:

Terminates the following services:

  • Microsoft Malware Protection Service – MsMpSvc
  • Windows AutoUpdate Service – wuauserv

SonicWALL Gateway AntiVirus provides protection against this worm via the following signatures:

GAV: Yimfoca.AA_3 (Worm)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.