W32/Yahlover.C!worm

Analysis

W32/Yahlover.C!worm is classified as an Internet worm. Internet worms have the functionality to spread to other systems using NetBIOS/SMB, SMTP, MSN Messenger, P2P applications, or mobile networks.
This worm modifies system settings that can compromise overall system security. It also downloads files from the Internet.

• undefinedWINDOWSundefined\chrome.exe: copy of itself
• undefinedSYSTEMundefined\chrome.exe: copy of itself
• undefinedWINDOWSundefined\Tasks\At1.job: job to execute itself everyday
• undefinedSYSTEMundefined\autorun.ini

• key: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer
• key: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel

• key: HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
• value: AtTaskMaxHours
• data: 0

• key: HKLM\SYSTEM\CurrentControlSet\Services\Schedule\
• value: NextAtJobId
• data: 2

• key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
• value: Shell
• data: Explorer.exe chrome.exe

• key: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\
• value: Default_Page_URL, Default_Search_URL, Search Page, Start Page
• data: http://h1.rip{Removed}.com/poojasharma/index.html

This page is used as the default Internet Explorer Page, as well as the default search page.



• It uses the following mutex:
• _!MSFTHISTORY!_


• It tries to access the following URL:
• h1.rip[removed].com

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.