Follow:

 

Win32/Yimfoca


Microsoft security software detects and removes this threat.

Win32/Yimfoca is a worm family that spreads via common instant messaging applications and social networking sites. It is capable of connecting to a remote HTTP or IRC server to receive updated configuration data. It also modifies certain system and security settings.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Removing a program exception

This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps:

For Windows 7:

  1. Click Start, select Control Panel, then System and Security.
  2. Select Windows Firewall.
  3. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  5. Select "NVIDIA driver monitor" or "Windows System Devices Manager" from the list of allowed programs and features. Click Remove.
  6. Click OK.

For Windows Vista:

  1. Click Start, select Control Panel, then Security Center.
  2. On the left-hand menu, select Windows Firewall.
  3. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Select "NVIDIA driver monitor" or "Windows System Devices Manager" from the list of allowed programs and features. Click Delete.
  5. Click OK.

For Windows XP:

  1. Use an administrator account to log on.
  2. Click Start, select Run, type wscui.cpl, and then click OK.
  3. In Windows Security Center, click Windows Firewall.
  4. On the Exceptions tab, click "NVIDIA driver monitor" or "Windows System Devices Manager" and then click Delete.
  5. Click OK.
Additional remediation instructions for Win32/Yimfoca

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Yimfoca is a worm family that spreads via common instant messaging applications and social networking sites. It is capable of connecting to a remote HTTP or IRC server to receive updated configuration data. It also modifies certain system and security settings.

Installation

Win32/Yimfoca drops a copy of itself in any of the following folders:

  • %Windir%
  • %Public%
  • %ProgramFiles%

In the wild, Win32/Yimfoca has been observed to use one of the following file names:

  • nvsvc32.exe
  • csrss.exe - note that a legitimate Windows file also named "csrss.exe" exists by default in the Windows system folder

Win32/Yimfoca also creates a mutex to prevent more than one instance of itself from running at a time. The following are some mutex names that Yimfoca has been observed to use in the wild:

  • Nvidia Drive Mon
  • Client Server Runtine Process

Win32/Yimfoca adds the following registry entries so that it can run every time Windows starts:

In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Sets value: "<Yimfoca registry entry>"
With data: "%Windir%\<Yimfoca file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "<Yimfoca registry entry>"
With data: "%Windir%\<Yimfoca file name>"

In the wild, variants of the Win32/Yimfoca family have been seen using one of these combinations of file names and fake names for the registry modification:

Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"

or:

Sets value: "Windows System Devices Manager"
With data: "%windir%\csrss.exe"

After Win32/Yimfoca drops and installs a copy of itself, it opens a new Internet browser window to the "Browse" page of the social networking site Myspace and then terminates while its dropped copy continues running.

Spreads Via...

Instant messaging programs and social networking sites
Worm:Win32/Yimfoca spreads by sending malicious links to the user's contacts in any of the following instant messaging applications:

  • AOL Instant Messenger
  • MSN Messenger
  • Skype
  • Yahoo! Messenger

The links it sends out contain a copy of itself hosted in a remote server. Some servers that it includes in its propagation messages are:

  • ialongsdor.net
  • alynnprel.net

The following is a screenshot of a sample web site found to be hosting installers of Win32/Yimfoca:

It also posts malicious links to the user's friends on the social networking site Facebook.

It uses social engineering tricks to entice the users into running the malware. For instance, it may pose as a link to a photo or a video. Below is a screenshot of a sample instant message used by Yimfoca to propagate:

Payload

Modifies security settings
Win32/Yimfoca modifies Windows Firewall settings to gain access to the Internet. It does this by adding the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%windir%\<Yimfoca file name>"
With data: "%windir%\<Yimfoca file name>:*:Enabled:<Yimfoca file name>""

In the wild, Win32/Yimfoca has been observed using the following registry values and data:

Sets value: "%windir%\nvsvc32.exe"
With data: "%windir%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

or

Sets value: "%windir%\csrss.exe"
With data: "%windir%\csrss.exe:*:Enabled:Windows System Devices Manager"

Some variants of Win32/Yimfoca may also disable the Windows Task Manager by modifying the following registry entry:

In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

Modifies Internet Explorer settings
There are variants of Win32/Yimfoca that set the Internet Explorer Home page by modifying the following registry data:

In subkey: HKCU\Software\Microsoft\Internet Explorer\main
Sets value: "Start Page"
To data: "<Yimfoca server>"

In the wild, variants of Win32/Yimfoca have been observed setting Internet Explorer's Home page to any one of these servers:

  • 142.45.183.3
  • 142.45.191.252
  • 142.45.191.249
  • redirecturls.info

Other variants of Win32/Yimfoca may also modify the following registry entries in an attempt to change the Internet Explorer Home page.

In subkeys:
HCR\HTTP\shell\open\command
HCR\https\shell\open\command
HCR\htmlfile\shell\open\command
Sets value: "@@''"
With data: "%ProgramFiles%\Internet explorer\iexplore.exe -nohome"

Terminates and disables services and processes
Worm:Win32/Yimfoca attempts to stop and disable Windows Update and the Microsoft Antimalware Service by running the following commands:

net stop wuauserv
net stop MsMpSvc
sc config wuauserv start = disabled
sc config MsMpSvc start = disabled

In addition, if it finds the Microsoft Security Client User Interface process running in the affected computer it attempts to terminate it and deletes the associated process file. The removal of this file compromises functionality of the security programs Microsoft Security Essentials and Forefront Endpoint Protection.

Connects to a remote server
Worm:Win32/Yimfoca has been observed attempting to connect to any of the following servers using predefined ports:

  • 142.45.183.2
  • 142.45.183.239
  • 142.45.183.241
  • 142.45.183.242
  • 142.45.183.244
  • 142.45.183.248
  • 142.45.183.249
  • 142.45.183.252
  • 142.45.183.254
  • 142.45.183.3
  • 142.45.183.5
  • 142.45.183.7
  • 142.45.183.8
  • 142.45.184.1
  • 142.45.184.10
  • 142.45.184.12
  • 142.45.184.240
  • 142.45.184.243
  • 142.45.184.248
  • 142.45.184.253
  • 142.45.184.254
  • 142.45.184.3
  • 142.45.184.4
  • 142.45.184.5
  • 142.45.185.0
  • 142.45.185.10
  • 142.45.185.11
  • 142.45.185.12
  • 142.45.185.13
  • 142.45.185.249
  • 142.45.185.251
  • 142.45.185.252
  • 142.45.185.3
  • 142.45.185.9
  • 142.45.186.0
  • 142.45.186.11
  • 142.45.186.13
  • 142.45.186.2
  • 142.45.186.240
  • 142.45.186.241
  • 142.45.186.243
  • 142.45.186.245
  • 142.45.186.252
  • 142.45.186.253
  • 142.45.186.254
  • 142.45.193.240
  • 142.45.193.6
  • 174.37.200.82
  • 239.160.147.53

The remote computers above may contain an HTTP server, an IRC server, or both. If Worm:Win32/Yimfoca successfully establishes a connection with any of these servers, it receives configuration data, such as templates that it uses as the message when propagating (see "Spreads via..." section above) or the survey sample message it displays (see "Interrupts Internet Explorer browsing activity" payload section below).

Downloads and executes arbitrary files
Win32/Yimfoca has the capability to download and execute an arbitrary file. This file may either be an updated version of Win32/Yimfoca itself or it could be another malware.

Interrupts Internet Explorer browsing activity
If the user attempts to open the website "www.facebook.com", Win32/Yimfoca may display messages on top of the current page informing the user that he will not be able to continue browsing the site until he fills up a survey. This, in effect, prevents the user from accessing the Facebook site.

The messages displayed by Win32/Yimfoca are part of the configuration data that it receives from one of its remote servers. Hence, the contents of the message may vary at any given time. Below are some samples of these messages:

  • Sample Message 1:
    Your Account as been suspended!
    The suspend will be released after 80 minutes
    The suspend will be disabled only if you fill out one survey!
    Please wait 80 minutes and tray again.
  • Sample Message 2:
    You have only 3 minutes to fill out the selected survey
    or you will be banned from this site.
    When you complete one survey Click Here
  • Sample Message 3:
    You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to this page.
  • Sample Message 4:
    The page is blocked!
    The block will be released after 80 minutes
    The block will be disabled only if you fill out one survey!
    Please wait 80 minutes and tray again.
  • Sample Message 5:
    You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to your account.
  • Sample Message 6:
    You have only 3 minutes to fill out the selected survey or you will not have access to your account.
    When you complete one survey Click Here

In addition, Yimfoca may also display these surveys if the affected user enters certain substrings in Internet Explorer's address bar. These substrings can either be hardcoded in the malware body or it could be reconfigurable just like the survey messages above. The following are some examples of these substrings that Yimfoca watches out for:

  • adobe
  • adult
  • aricl
  • bick
  • cpalead
  • daddie
  • drug
  • gay
  • geshac
  • hardcore
  • kanaa
  • mail
  • microsoft
  • myspace
  • outu
  • sex
  • tube
  • user:0
  • vidr
  • virus
  • window
  • xnxx
  • xvideos
  • XXX

Analysis by Gilou Tenebro


Symptoms

System changes

The following system changes may indicate the presence of this malware:

    • Your friends may report receiving an instant message from you similar to the following:
    • Your friends may report links on your Facebook profile that, when accessed, attempt to download a file, similar to the following:
    • The presence of the following files:
      %windir%\nvsvc32.exe
      %windir%\csrss.exe - note that a legitimate Windows file also named "csrss.exe" exists by default in the Windows system folder
    • The presence of the following registry modifications:

      In subkeys:
      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

      Sets value: "NVIDIA driver monitor"
      With data: "%windir%\nvsvc32.exe"

      or:
      Sets value: "Windows System Devices Manager"
      With data: "%windir%\csrss.exe"

or:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"

or:
Sets value: "Windows System Devices Manager"
With data: "%windir%\csrss.exe"

  • The following program is allowed to bypass the Windows firewall:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "%windir%\nvsvc32.exe"
    With data: "%windir%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

    or:
    Sets value: "%windir%\csrss.exe"
    With data: "%windir%\csrss.exe:*:Enabled:Windows System Devices Manager"

  • Your Internet Explorer home page has been changed to point to any of the following servers:
    • 142.45.183.3
    • 142.45.191.252
    • 142.45.191.249
    • redirecturls.info
  • Your Microsoft security product, such as Microsoft Security Essentials or Forefront Endpoint Protection, is not working properly.
  • Your browser may open to the MySpace website without any prompting from you.
  • If you open Internet Explorer to Facebook, you may receive any of the following messages, preventing you from accessing the site:
    • Sample Message 1:
      Your Account as been suspended!
      The suspend will be released after 80 minutes
      The suspend will be disabled only if you fill out one survey!
      Please wait 80 minutes and tray again.
    • Sample Message 2:
      You have only 3 minutes to fill out the selected survey
      or you will be banned from this site.
      When you complete one survey Click Here
    • Sample Message 3:
      You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to this page.
    • Sample Message 4:
      The page is blocked!
      The block will be released after 80 minutes
      The block will be disabled only if you fill out one survey!
      Please wait 80 minutes and tray again.
    • Sample Message 5:
      You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to your account.
    • Sample Message 6:
      You have only 3 minutes to fill out the selected survey or you will not have access to your account.
      When you complete one survey Click Here
  • If you enter any of the following strings on your Internet Explorer address bar, the same messages as above may also appear:
    • adobe
    • adult
    • aricl
    • bick
    • cpalead
    • daddie
    • drug
    • gay
    • geshac
    • hardcore
    • kanaa
    • mail
    • microsoft
    • myspace
    • outu
    • sex
    • tube
    • user:0
    • vidr
    • virus
    • window
    • xnxx
    • xvideos
    • XXX
  • Your Windows Task Manager may also not be functioning properly.

Prevention


Alert level: Severe
This entry was first published on: Jun 09, 2011
This entry was updated on: Jul 16, 2015

This threat is also detected as:
No known aliases