Win32/Yektel is a family of trojans that display fake warnings of spyware or malware in an attempt to lure the user into installing or paying money to register rogue security products such as Trojan:Win32/FakeXPA. It is downloaded by most variants of
Win32/FakeXPA.
Installation
Each Win32/Yektel variant consists of an EXE (TrojanDownloader:Win32/Yektel) which downloads and installs a DLL (Trojan:Win32/Yektel) as a BHO (Browser Helper Object).
TrojanDownloader:Win32/Yektel usually copies itself to one or both of these file names:
- <system folder>\explorer32.exe
- <system folder>\ieupdates.exe
It modifies the registry to execute one of these copies each time Windows starts, e.g.:
Adds value: "ieupdates"
With data: "<system folder>\ieupdates.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Or:
Adds value: "ieupdate"
With data: "<system folder>\explorer32.exe "
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The downloader usually saves Trojan:Win32/Yektel.A as:
<system folder>\winsrc.dll
This DLL is installed as a BHO by setting registry entries such as these:
Creates key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
Sets value: (default)
With data: "<system folder>\winsrc.dll"
In subkey: HKCR\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}\InprocServer32
Sets value: (default)
With data: "&Research"
In subkey: HKCR\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
Payload
Displays Misleading Messages
Win32/Yektel displays warnings and recommendations in Internet Explorer. These include messages that appear at the top of the Internet Explorer window, mimicking IE drop-down messages:
The above appears on top of web pages that the user visits. The trojan may also display a fake warning page instead of a requested web page:
The above messages are displayed at random times while browsing. A third type of message is added into all web pages retrieved from any URL containing the string “google”:
Clicking on any of the links in any of these messages usually leads to web site that encourages the user to pay money to register a rogue security product such as Win32/FakeXPA.
Win32/Yektel will not display fake warning messages when the user visits any domains from a list stored inside the trojan, such as:
antivirus2009online.com
antivirus-2009pro.com
antivirus2009-software.com
antivirusa2.com
antivirusa2.com
antivirus-database.com
antivirusprotection2009.com
billingserviceonline.com
browsersecuritycenter.com
eticketsclub.com
extrabilling.com
fileshredder2008.com
fileshreddersoftware.com
innovagest2000sl.com
internetscannerlive.com
myantivirusprotection2009.com
pandora-software.com
psbill.com
purchase-anti.com
purchase-soft.com
secure.billingware.net
secure.extrabilling.com
secure.innovagest.2000sl.com
securetds-a5.com
software-payment.com
stock-flow.com
trafficrotator.net
update-direct.com
updateserver6.com
woodpckr-a2.com
woodpckr-a2.com
woodst-sale.com
xp-antivirus.com
xpantivirussecurity.com
xpprotectionsoftware.com
Analysis by Hamish O'Dea