W32/Yahlover.C!worm
Analysis
W32/Yahlover.C!worm is classified as an Internet worm. Internet worms have the functionality to spread to other systems using NetBIOS/SMB, SMTP, MSN Messenger, P2P applications, or mobile networks.
This worm modifies system settings that can compromise overall system security. It also downloads files from the Internet.
- undefinedWINDOWSundefined\chrome.exe: copy of itself
- undefinedSYSTEMundefined\chrome.exe: copy of itself
- undefinedWINDOWSundefined\Tasks\At1.job: job to execute itself everyday
- undefinedSYSTEMundefined\autorun.ini
- key: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer
- key: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel
- key: HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
- value: AtTaskMaxHours
- data: 0
- key: HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
- value: NextAtJobId
- data: 2
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
- value: Shell
- data: Explorer.exe chrome.exe
- key: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
- value: Default_Page_URL, Default_Search_URL, Search Page, Start Page
- data: http://h1.rip{Removed}.com/poojasharma/index.html
- It uses the following mutex:
- _!MSFTHISTORY!_
- It tries to access the following URL:
- h1.rip[removed].com
This page is used as the default Internet Explorer Page, as well as the default search page.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |