Worm:Win32/Yimfoca.B is a worm that contains backdoor functionality and can spread via instant messaging programs and social networking websites.
Installation
When executed, the worm copies itself to the following locations:
- %windir%\nvsvc32.exe
- %public%\nvsvc32.exe
- %programfiles%\nvsvc32.exe
The worm modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "C:\Program Files\nvsvc32.exe"
With data: "NVIDIA driver monitor"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "C:\Program Files\nvsvc32.exe"
With data: "NVIDIA driver monitor"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "C:\Program Files\nvsvc32.exe"
With data: "NVIDIA driver monitor"
The worm also adds itself to the list of applications that are authorized to access the Internet without being stopped by the Firewall, by making the following registry modification:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "c:\Malware\Malware.dat.exe"
With data: "<Malware File>:*:enabled:nvidia driver monitor"
The worm creates the following Mutex to ensure that only once instance of itself is executed:
The worm then launches the following, which displays a page in the browser:
- explorer.exe hxxp://browseusers.myspace.com/Browse/Browse.aspx
Spreads via...
Windows Live Messenger
The worm checks if Windows Live Messenger is installed, and if found, it attempts to send messages to recipients in the affected user's contact list who are not offline. Note that the content of the message is variable, as this is specified via a backdoor command.
Social networking websites
The worm checks if the user is logged into Facebook by refreshing the webpage. If the user is logged in, the worm attempts to send a chat message to the affected user's online contacts. Note that the content of the message is variable, as this is specified via a backdoor command.
Payload
Backdoor functionality
The worm attempts to connect one of the following remote hosts, using the IRC protocol:
- ds.phoenix-cc.net
- albertoshistory.info
- 17.73.210.123
- 201.107.94.26
- 77.44.131.214
- 241.173.52.61
The worm joins an IRC channel in order to receive commands, which may include the following:
- Download and execute arbitrary files
- Set the Internet Explorer start page
- Send messages to Windows Live Messenger contacts
- Send messages to Facebook contacts
Displays advertisements
The worm attempts to insert HTML code into the affected user's browsing session when the user visits certain websites. This may be used to display advertisements, or prompt the user to take a survey which appears to originate from the site the user is visiting at that point in time.
Stops and disables services
The worm attempts to disable the following services:
Terminates processes
The worm attempts to terminate the following process:
Additional information
The worm performs DNS (Domain Name System) lookups on the following domains:
- screenservice.com
- jb.asm.org
- scribbidyscrubs.com
- tripadvisor.com
- journals.lww.com
- erdbeerlounge.de
- heidegger.x-y.net
- middleastpost.org
- mcsp.lvengine.com
- versatek.com
- astro.ic.ac.uk
- goodreads.com
- stayontime.info
- websitetrafficspy.com
- southampton.ac.uk
- refugee-action.org.uk
- unclefed.com
- transnationale.org
- journalofaccountancy.com
- summer-uni-sw.eesp.ch
- www.shearman.com
- shopstyle.com
- deirdremccloskey.org
- hrm.uh.edu
- insidehighered.com
- mix.thenaturistclub.com
- ate.lacoctelera.net
- xxx.stopklatka.pl
- mas.univie.ac.at
- opl.munin.irf.se
- mas.0730ip.com
- mas.ahlamontada.com
- xxx.jagdcom.de
- old.longjuyt2tugas.com
- mmm.bolbalatrust.org
- mix.price-erotske.in.rs
- mas.juegosbakugan.net
- qun.51.com
- epp.gunmablog.jp
- old.youku.com
- mas.tguia.cl
- ope.oaklandathletics.com
- beta.neogen.ro
- ale.pakibili.com
- mas.mtime.com
- pru.landmines.org
- uks.linkedin.com
- mas.josbank.com
- mas.archivum.info
- ols.systemofadown.com
- pra.aps.org
Analysis by Ray Roberts
