Win32/Yimfoca [Threat Name] go to Threat

Win32/Yimfoca.AA [Threat Variant Name]

Category	worm
Aliases	IM-Worm.Win32.Yahos.cf (Kaspersky)
	W32.Yimfoca!gen2 (Symantec)
	Worm:Win32/Pushbot.gen!C (Microsoft)

Win32/Yimfoca.AA is a worm that spreads via IM and social networks. The worm serves as a backdoor. It can be controlled remotely.

When executed, the worm copies itself into the following location:

The worm may create the following files:

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable6%" = "%windir%\%variable1%.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable6%" = "%windir%\%variable1%.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable6%" = "%windir%\%variable1%.exe"

The following Registry entries are created:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%windir%\%variable1%.exe" = "%variable6%:*:Enabled:%windir%\%variable1%.exe"

The performed data entry creates an exception in the Windows Firewall program.

A string with variable content is used instead of %variable1-6% .

Win32/Yimfoca.AA is a worm that spreads via IM and social networks.

The programs affected include the following:

The following social networking sites are affected:

The worm spreads through links which point to websites containing malware.

The worm collects the following information:

The worm can send the information to a remote machine.

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (4) addresses.

The IRC protocol is used.

It can execute the following operations:

The worm changes the home page of the following web browsers:

The worm may execute the following commands: