Video Screencast Help
Security Response

W32.Yimfoca.B – Malware Localization

Created: 06 Dec 2010 19:37:28 GMT • Updated: 23 Jan 2014 18:23:42 GMT • Translations available: 日本語
Stephen Doherty's picture
0 0 Votes
Login to vote

The latest W32.Yimfoca.B variants can target malicious links in no fewer than 44 countries and nearly 20 different languages. It has also increased the number of instant messaging applications to include most of the popular IM clients.

Here is a code snippet from W32.Yimfoca.B:

This picks the desired messages based on a comparison with the full list of countries listed below:

·         Slovenia

·         Canada

·         Norway

·         Switzerland (German)

·         Switzerland (Romansh)

·         United Kingdom

·         Mexico

·         Belgium

·         Austria

·         Portugal

·         Australia

·         Spain (Modern)

·         Spain (Traditional)

·         Venezuela

·         New Zealand

·         Ireland

·         South Africa

·         Colombia

·         Peru

·         Argentina

·         Turkey

·         Pakistan

·         Indonesia

·         Ukraine

·         Belarus

·         Czech Republic

·         Denmark

·         Germany

·         Greece

·         United States

·         Finland

·         France

·         Israel

·         Hungary

·         Iceland

·         Italian

·         Japan

·         Korea

·         Netherlands

·         Polish

·         Brazil

·         Romania

·         Russia

·         Croatia

·         Slovakia

·         Albania

·         Sweden

·         Thailand

The full list of messages is:

·         mira esta fotografa :D [MALICIOUS LINK]

·         seen this?? :D [MALICIOUS LINK]

·         This is the funniest photo ever! [MALICIOUS LINK]

·         olhar para esta foto :D [MALICIOUS LINK]

·         Wie findest du das Foto? [MALICIOUS LINK]

·         se ps dette bildet :D [MALICIOUS LINK]

·         bekijk deze foto :D [MALICIOUS LINK]

·         poglej to fotografijo :D [MALICIOUS LINK]

·         pogledaj to slike :D [MALICIOUS LINK]

·         titta ps denna bild :D [MALICIOUS LINK]

·         pozrite sa na t

·         to fotografiu :D [MALICIOUS LINK]

·         uita-te la aceasta fotografie :D [MALICIOUS LINK]

·         katso tStS kuvaa :D [MALICIOUS LINK]

·         bu resmi bakmak :D [MALICIOUS LINK]

·         spojrzec na to zdjecie :D [MALICIOUS LINK]

·         nTzd meg a kTpet :D [MALICIOUS LINK]

·         ser ps dette billede :D [MALICIOUS LINK]

·         podfvejte se na mou fotku :D [MALICIOUS LINK]

·         guardare quest'immagine :D [MALICIOUS LINK]

·         regardez cette photo :D [MALICIOUS LINK]

When the worm doesn’t recognize the country, it uses a default message in English:

Seen this?? :D [MALICIOUS LINK]

Surely this will help with the success rate of its IM spreading capabilities, but it isn’t finished there…

W32.Yimfoca.B has also has the added capability to spread to any removable drives on C through Z. Upon initial infection, and every five minutes thereafter, W32.Yimfoca.B will attempt to infect removable drives inserted into the compromised computer.

When W32.Yimfoca.B infects these drives, it hides existing folders found on the removable drive, setting their attributes to ‘system’ and ‘hidden’, and replacing them with a shortcut link to a copy of the worm. The shortcut icon will be that of a folder, so a user may be fooled into thinking this is in fact the original folder.

Here is what a typical user will see if system files are hidden (which is the default):

Here is what really exists on an infected removable drive:

The real purpose of the threat is to spread in order to download further malware on to your computer. At the time of analysis, this version of W32.Yimfoca.B is downloading W32.Yimfoca.