W32/Yahlov-A

Category: Viruses and Spyware Protection available since:31 Oct 2008 01:50:56 (GMT)
Type: Win32 worm Last Updated:26 Aug 2009 07:21:21 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Yahlov-A is a worm for the Windows platform.

W32/Yahlov-A speads by copying itself to network shares and removable drives.

W32/Yahlov-A copies itself to the root folder of removeable drives with a randomly generated filename and creates an autorun.inf file in the root folder of the drive in an attempt to run the copy when the drive is loaded. Both the copy and the autorun.inf file will have the system, hidden and read-only attributes set.

W32/Yahlov-A copies itself to the following location on fixed drives:

<System>\csrcs.exe

and creates the files:

<Temp>\suicide.bat
<System>\autorun.inf

All files will have the system, hidden and read-only attributes set.

The following registry entry is created to run csrcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
csrcs
<System>\csrcs.exe

The following registry entry is changed to run csrcs.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe csrcs.exe

Registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden
0

HKLM\SOFTWARE\Eset\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Settings
exc
<binary data>

HKLM\SOFTWARE\Eset\Nod\CurrentVersion\Modules\AMON\Settings\Config000\Settings
exc_num
<DWORD value>

Registry entries are created under:

HKLM\SOFTWARE\Microsoft\DRM\amty

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy