1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. IRC W32 Yimfoca Activity 2

IRC W32 Yimfoca Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Yimfoca requesting information from its IRC controlling server.

Additional Information

W32.Yimfoca is a worm that spreads by sending links through Yahoo! Messenger.
When executed, the worm copies itself as the following file:
%Windir%\infocard.exe

It also creates the following files:

* %Windir%\mds.sys
* %Windir%\mdt.sys
* %Windir%\winbrd.jpg


It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Firewall Administrating" = "%Windir%\infocard.exe"

Next, the worm attempts to connect to the following URL:
[http://]browseusers.myspace.com/Browse/Brows[REMOVED]

The worm then stops the following processes to disable the Microsoft Malware Protection Service and Windows Update:

* MsMpSvc
* wuauserv


It then attempts to connect to the following URL to download a configuration file:
[http://]get.articleslinked.com/univ[REMOVED]

The worm may also download other files on to the compromised computer, which may be copies of other malware.

It connects to the following network addresses on TCP port 2345 and waits for IRC commands:

* e2doo.org
* sls.e2doo.net


Next, the worm searches windows on the compromised computer for those that belong to Yahoo! Messenger.

The worm spreads by sending messages that contain links to copies of the worm to all Yahoo! Messenger contacts.

The following messages may be sent by the worm:

* foto :D [http://]tusfbfotos.com/imag[REMOVED]
* foto :D [http://]kompnk.com/imag[REMOVED]
* foto :D [http://]beautyphotoson.com/imag[REMOVED]

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows Vista
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
5. Extract and restore Windows files.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube