Worm:Win32/Yoybot.gen is a generic detection for a family of malicious IRC bots that are able to spread through removable drives and file sharing networks.
Installation
Files detected as Worm:Win32/Yoybot.gen may use the following file names to copy themselves in the Windows folder:
algs.exe
antivir.exe
blah.exe
christmas-2007
coultca.exe
counter strike source crack.exe
d3dx9_373.dll
darbe.exe
dark ddos tool.exe
dcom exploit.exe
devic.exe
devicer.exe
devices.exe
divx pro + keygen.exe
e2x.exe
ede.exe
explors.exe
filename.exe
gvpqij.exe
happy2008.exe
hotmail cracker.exe
hotmail hacker.exe
iexplorer.exe
isssm.exe
itunehelper.exe
kacir.bin
kacir.dll
kaspersky crack.exe
kca.exe
keylogger.exe
l0pht 4.0 windows password cracker.exe
lcass.exe
limewire pro final edition.exe
mgrmsn.exe
microsoft visual basic keygen.exe
microsoft visual c++ keygen.exe
microsoft visual studio keygen.exe
mozilla.exe
msgplus.exe
msgsrv32.exe
msmsgrsu.exe
msn keylogger.exe
msn password cracker.exe
msn password stealer.exe
msnmsgupdater.exe
msnmsngr.dll
msnnmsgr.exe
msnsgrs.exe
msnwsp.exe
mssvc.exe
mswinmsd.exe
netbios cracker.exe
netbios hacker.exe
norton antivirus all versions crack.exe
older man and young boy.scr
osmanemre.exe
rdshost.dll
samp gta multiplayer.exe
scvhost.exe
scvhots.exe
sdbot with netbios spread.exe
service.exe
shvhost.exe
spore crack.exe
spore full patcher.exe
steam crack.exe
steam keygen.exe
sub7 2.3 private.exe
svchost.exe
svhost.exe
svshost32.exe
sys1.exe
sys2.exe
taskmrg.exe
teen sex.scr
temp:0ff69b57
test.exe
usb-driver.com
usb_driver.exe
winamp.exe
winboolxp2.exe
windows password cracker.exe
windows xp validator crack.exe
windowxdll.dll
wings.exe
winlogin.exe
winmsg.exe
winsys.exe
wint.exe
winup.exe
wupdat.exe
wupdatemgr32.exe
x0r.exe
young boy nude.scr
young girl and boy sex.scr
young girl first time.scr
young girl nude.scr
youtube account cracker.exe
zjkhajgh.exe
Files detected as Worm:Win32/Yoybot.gen have also been found to insert itself into existing RAR archives. It may also archive copies of itself into a ZIP file with file names such as the following:
file0035.zip
image2008.zip
image51257-2008.zip
imagenessexo.zip
img1-15-2008.zip
img104185.zip
img104285.zip
img104385.zip
img1043vv.zip
img2007-12.zip
img5-2007.zip
imgi04q85.zip
kontor.zip
lolpic.zip
new-year2008-imgaes.zip
photo album.zip
photo-354422.myspace.com.zip
photos1-2008.zip
pics.zip
resimler.zip
resimlerim.zip
Most files also add a registry entry to enable a worm copy to run whenever Windows starts.
Spreads via...
Removable drives
Worm:Win32/Yoybot.gen may spread by dropping a copy of itself and the initialization file 'autorun.inf' in all removable drives. The worm copy is dropped in the following created subfolder:
<drive>:\driver\usb
The initialization file is designed to automatically run the worm copy when the drive is accessed and Autorun is enabled.
File-sharing programs
Files detected as Worm:Win32/Yoybot.gen may copy itself in folders that are known to be used by file-sharing programs, such as the following:
%ProgramFiles%\bearshare\shared
%ProgramFiles%\edonkey2000\incoming
%ProgramFiles%\emule\incoming
%ProgramFiles%\grokster\my grokster
%ProgramFiles%\icq\shared folder
%ProgramFiles%\kazaa lite k++\my shared folder
%ProgramFiles%\kazaa lite\my shared folder
%ProgramFiles%\kazaa\my shared folder
%ProgramFiles%\limewire\shared
%ProgramFiles%\morpheus\my shared folder
%ProgramFiles%\tesla\files
%ProgramFiles%\winmx\shared
This ensures that when the file-sharing program is used, the worm copy is automatically shared and is accessible to users in other systems.
Payload
Allows backdoor access and control
In the wild, Worm:Win32/Yoybot.gen are seen connecting to IRC servers such as the following:
64.18.147.44
79.125.11.206
81.169.167.11
acid.dyndns.net
b3st.yi.org
botnetim.no-ip.biz
cod.sohbetodasi.info
colpha.no-ip.biz
dangerz.lamersgroup.net
darksheekz.opendns.be
essalami.dyndns.org
fuckyou.bounceme.net
http.xn
irc-irc.homeunix.net
irc.Arkadassec.com
irc.diboo.net
irc.hatunporn.com
irc.hopam.net
irc.itexltd.com
irc.lonelyness.info
irc.msngrils.com
irc.NeoBotNet.Net
irc.opera.com
irc.sexbul.info
irc.thedetested.com
irc.webmaster.com
irc.xstr.info
irc.yourirc.com
irc2.scan.ed-by.me.uk
irc2.servebeer.com
ircplus.hopto.org
join.sohbetini.net
karkar.soulsanctuary.info
mg-kka.com
msn.petegim.net
msnbots.hopto.org
pimpampum.laweb.es
secure.bindshell.info
sleepy.bb-renaissance.com
speed.redirectme.net
spees.bpa.nu
ss.nx.hh.multi-sonic.eu
sscxl.homelinux.net
usb.princ.ch
worm.emriz.com
xuk.womeniser.info
It may listen in for commands from a remote attacker to perform the following actions:
- Send chat messages
- Perform distributed denial-of-service attacks to a specified server
- Download and update a worm copy
Modifies firewall settings
Worm:Win32/Yoybot.gen may modify firewall settings to add the worm process to the Firewall policy exception list. This enables the worm process to access the network.
It may do this by adding the following registry entry:
Adds value: "<malware file>"
With data: "<malware file>:*:enabled:windows services"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Analysis by Jireh Sanico