Win32/Yektel [Threat Name] go to Threat

Win32/Yektel.A [Threat Variant Name]

Category	trojan
Size	634368 B
Aliases	Rogue:Win32/FakeXPA (Microsoft)
	FakeAlert-EQ.b.trojan (McAfee)

Short description

Win32/Yektel.A is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses. The trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.

The following Registry entries are created:

[HKEY_CLASSES_ROOT\CLSID\{04DFB628-514B-4E68-9076-DC1024F58A96}]
- "(Default)" = "&Security Update"
[HKEY_CLASSES_ROOT\CLSID\{04DFB628-514B-4E68-9076-DC1024F58A96}\InProcServer32]
- "(Default)" = %malwaredllpath%
- "ThreadingModel" = "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
- "{04DFB628-514B-4E68-9076-DC1024F58A96}"

The trojan may delete the following Registry entries:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings]
- "{04DFB628-514B-4E68-9076-DC1024F58A96}"

Other information

Win32/Yektel.A is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.

It avoids those with any of the following strings in their names:

mail
secure
payment
google
msn
live
yahoo
protected
malicious-sites.com
securityutilitybuy.com
allspanishwar.com
maliciouscodeblock.com
forbes-2009.com
safewebnetwork.com
angle-meter.com
security-estore.com
austin2reed.com
black-list-websites.com
browsersecessentials.com
windowssp3download.com
ardeana-couture.com
pc-security-store.com
blockadvisornetwork.com
rescuesysupdate.com
pcsecurity-soft.com
iesecurityblock.com
winxp7server.com
wintimeserver.com
firmwaredownloadserver.com
internetbanlist.com
unsecured-domains.com
checklatestversion.com
totalblocklist.com
shifustserver.com
version-upgrade.com
antispywarelist.com
projectwupdates.com
cariport.com

The user may be redirected to one of the following Internet web sites:

http://www.antispywarelist.com/