Follow:

 

Trojan:Win32/Yoddos.B


Trojan:Win32/Yoddos.B is a trojan that drops a component that disables Internet Explorer protection offered by "360safe". It also replaces the Master Boot Record (MBR) with a malicious version, which is detected as Trojan:DOS/Yoddos.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Yoddos.B is a trojan that drops a component that disables Internet Explorer protection offered by "360safe". It also replaces the Master Boot Record (MBR) with a malicious version, which is detected as Trojan:DOS/Yoddos.

Installation

When run, the checks for the presence of system-restoring software by looking for the following processes:

  • HDDGMON.exe
  • DF5Serv.exe

If found, Trojan:Win32/Yoddos.B disables Windows File Protection to drop the following file:

  • <system folder>\drivers\pcidump.sys - also detected as Trojan:Win32/Yoddos.B

It installs this driver file by replacing the legitimate "pcidump" service, if it exists.

Payload

Disables security settings
Trojan:Win32/Yoddos.B drops a component to disable the protection offered by "360safe" for Internet Explorer. The component is also detected as Trojan:Win32/Yoddos.B.

Infects the MBR
Trojan:Win32/Yoddos.B replaces the original MBR with a malicious MBR. The malicious MBR is detected as Trojan:DOS/Yoddos.

Analysis by Jingli Li


Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.


Prevention


Alert level: Severe
First detected by definition: 1.121.1898.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Mar 20, 2012
This entry was first published on: Feb 10, 2011
This entry was updated on: May 05, 2011

This threat is also detected as:
No known aliases