Win32/Yimfoca [Threat Name] go to Threat
Win32/Yimfoca.AA [Threat Variant Name]
| Category | worm |
| Detection created | Aug 27, 2010 |
| Detection database version | 5403 |
| Aliases | IM-Worm.Win32.Yahos.cf (Kaspersky) |
| W32.Yimfoca!gen2 (Symantec) | |
| Worm:Win32/Pushbot.gen!C (Microsoft) |
Short description
Win32/Yimfoca.AA is a worm that spreads via IM and social networks. The worm serves as a backdoor. It can be controlled remotely.
Installation
When executed, the worm copies itself into the following location:
- %windir%\%variable1%.exe
The worm may create the following files:
- %windir%\%variable2%.dl
- %windir%\%variable3%.dl
- %windir%\%variable4%.png
- %windir%\%variable5%.jpg
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable6%" = "%windir%\%variable1%.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable6%" = "%windir%\%variable1%.exe"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable6%" = "%windir%\%variable1%.exe"
The following Registry entries are created:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%windir%\%variable1%.exe" = "%variable6%:*:Enabled:%windir%\%variable1%.exe"
The performed data entry creates an exception in the Windows Firewall program.
A string with variable content is used instead of %variable1-6% .
Spreading
Win32/Yimfoca.AA is a worm that spreads via IM and social networks.
The programs affected include the following:
- AIM
- Yahoo Messenger
- MSN Messenger
- Skype
The following social networking sites are affected:
The worm spreads through links which point to websites containing malware.
Information stealing
The worm collects the following information:
- computer name
- operating system version
The worm can send the information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a list of (4) addresses.
The IRC protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
The worm changes the home page of the following web browsers:
- Internet Explorer
The worm may execute the following commands:
- net stop wuauserv
- sc config wuauserv start= disabled
- netsh firewall add allowedprogram 1.exe 1 ENABLE
- explorer.exe http://browseusers.myspace.com/Browse/Browse.aspx