Follow:

 

Win32/Yimfoca


Win32/Yimfoca is a worm family that spreads via common instant messaging applications and social networking sites. It is capable of connecting to a remote HTTP or IRC server to receive updated configuration data. It also modifies certain system and security settings.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Removing a program exception

This threat may add a malware program to the Windows Firewall exception list. To remove the program exception, follow these steps:

For Windows 7:

  1. Click Start, select Control Panel, then System and Security.
  2. Select Windows Firewall.
  3. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Click Change Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  5. Select "NVIDIA driver monitor" or "Windows System Devices Manager" from the list of allowed programs and features. Click Remove.
  6. Click OK.

For Windows Vista:

  1. Click Start, select Control Panel, then Security Center.
  2. On the left-hand menu, select Windows Firewall.
  3. On the left-hand menu, select Allow a program through Windows Firewall. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Select "NVIDIA driver monitor" or "Windows System Devices Manager" from the list of allowed programs and features. Click Delete.
  5. Click OK.

For Windows XP:

  1. Use an administrator account to log on.
  2. Click Start, select Run, type wscui.cpl, and then click OK.
  3. In Windows Security Center, click Windows Firewall.
  4. On the Exceptions tab, click "NVIDIA driver monitor" or "Windows System Devices Manager" and then click Delete.
  5. Click OK.
Additional remediation instructions for Win32/Yimfoca

This threat may make lasting changes to a computer's configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:

Threat behavior

Win32/Yimfoca is a worm family that spreads via common instant messaging applications and social networking sites. It is capable of connecting to a remote HTTP or IRC server to receive updated configuration data. It also modifies certain system and security settings.

Installation

Win32/Yimfoca drops a copy of itself in any of the following folders:

  • %Windir%
  • %Public%
  • %ProgramFiles%

In the wild, Win32/Yimfoca has been observed to use one of the following file names:

  • nvsvc32.exe
  • csrss.exe - note that a legitimate Windows file also named "csrss.exe" exists by default in the Windows system folder

Win32/Yimfoca also creates a mutex to prevent more than one instance of itself from running at a time. The following are some mutex names that Yimfoca has been observed to use in the wild:

  • Nvidia Drive Mon
  • Client Server Runtine Process

Win32/Yimfoca adds the following registry entries so that it can run every time Windows starts:

In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Sets value: "<Yimfoca registry entry>"
With data: "%Windir%\<Yimfoca file name>"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "<Yimfoca registry entry>"
With data: "%Windir%\<Yimfoca file name>"

In the wild, variants of the Win32/Yimfoca family have been seen using one of these combinations of file names and fake names for the registry modification:

Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"

or:

Sets value: "Windows System Devices Manager"
With data: "%windir%\csrss.exe"

After Win32/Yimfoca drops and installs a copy of itself, it opens a new Internet browser window to the "Browse" page of the social networking site Myspace and then terminates while its dropped copy continues running.

Spreads Via...

Instant messaging programs and social networking sites
Worm:Win32/Yimfoca spreads by sending malicious links to the user's contacts in any of the following instant messaging applications:

  • AOL Instant Messenger
  • MSN Messenger
  • Skype
  • Yahoo! Messenger

The links it sends out contain a copy of itself hosted in a remote server. Some servers that it includes in its propagation messages are:

  • ialongsdor.net
  • alynnprel.net

The following is a screenshot of a sample web site found to be hosting installers of Win32/Yimfoca:

It also posts malicious links to the user's friends on the social networking site Facebook.

It uses social engineering tricks to entice the users into running the malware. For instance, it may pose as a link to a photo or a video. Below is a screenshot of a sample instant message used by Yimfoca to propagate:

Payload

Modifies security settings
Win32/Yimfoca modifies Windows Firewall settings to gain access to the Internet. It does this by adding the following registry entry:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%windir%\<Yimfoca file name>"
With data: "%windir%\<Yimfoca file name>:*:Enabled:<Yimfoca file name>""

In the wild, Win32/Yimfoca has been observed using the following registry values and data:

Sets value: "%windir%\nvsvc32.exe"
With data: "%windir%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

or

Sets value: "%windir%\csrss.exe"
With data: "%windir%\csrss.exe:*:Enabled:Windows System Devices Manager"

Some variants of Win32/Yimfoca may also disable the Windows Task Manager by modifying the following registry entry:

In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"

Modifies Internet Explorer settings
There are variants of Win32/Yimfoca that set the Internet Explorer Home page by modifying the following registry data:

In subkey: HKCU\Software\Microsoft\Internet Explorer\main
Sets value: "Start Page"
To data: "<Yimfoca server>"

In the wild, variants of Win32/Yimfoca have been observed setting Internet Explorer's Home page to any one of these servers:

  • 142.45.183.3
  • 142.45.191.252
  • 142.45.191.249
  • redirecturls.info

Other variants of Win32/Yimfoca may also modify the following registry entries in an attempt to change the Internet Explorer Home page.

In subkeys:
HCR\HTTP\shell\open\command
HCR\https\shell\open\command
HCR\htmlfile\shell\open\command
Sets value: "@@''"
With data: "%ProgramFiles%\Internet explorer\iexplore.exe -nohome"

Terminates and disables services and processes
Worm:Win32/Yimfoca attempts to stop and disable Windows Update and the Microsoft Antimalware Service by running the following commands:

net stop wuauserv
net stop MsMpSvc
sc config wuauserv start = disabled
sc config MsMpSvc start = disabled

In addition, if it finds the Microsoft Security Client User Interface process running in the affected computer it attempts to terminate it and deletes the associated process file. The removal of this file compromises functionality of the security programs Microsoft Security Essentials and Forefront Endpoint Protection.

Connects to a remote server
Worm:Win32/Yimfoca has been observed attempting to connect to any of the following servers using predefined ports:

  • 142.45.183.2
  • 142.45.183.239
  • 142.45.183.241
  • 142.45.183.242
  • 142.45.183.244
  • 142.45.183.248
  • 142.45.183.249
  • 142.45.183.252
  • 142.45.183.254
  • 142.45.183.3
  • 142.45.183.5
  • 142.45.183.7
  • 142.45.183.8
  • 142.45.184.1
  • 142.45.184.10
  • 142.45.184.12
  • 142.45.184.240
  • 142.45.184.243
  • 142.45.184.248
  • 142.45.184.253
  • 142.45.184.254
  • 142.45.184.3
  • 142.45.184.4
  • 142.45.184.5
  • 142.45.185.0
  • 142.45.185.10
  • 142.45.185.11
  • 142.45.185.12
  • 142.45.185.13
  • 142.45.185.249
  • 142.45.185.251
  • 142.45.185.252
  • 142.45.185.3
  • 142.45.185.9
  • 142.45.186.0
  • 142.45.186.11
  • 142.45.186.13
  • 142.45.186.2
  • 142.45.186.240
  • 142.45.186.241
  • 142.45.186.243
  • 142.45.186.245
  • 142.45.186.252
  • 142.45.186.253
  • 142.45.186.254
  • 142.45.193.240
  • 142.45.193.6
  • 174.37.200.82
  • 239.160.147.53

The remote computers above may contain an HTTP server, an IRC server, or both. If Worm:Win32/Yimfoca successfully establishes a connection with any of these servers, it receives configuration data, such as templates that it uses as the message when propagating (see "Spreads via..." section above) or the survey sample message it displays (see "Interrupts Internet Explorer browsing activity" payload section below).

Downloads and executes arbitrary files
Win32/Yimfoca has the capability to download and execute an arbitrary file. This file may either be an updated version of Win32/Yimfoca itself or it could be another malware.

Interrupts Internet Explorer browsing activity
If the user attempts to open the website "www.facebook.com", Win32/Yimfoca may display messages on top of the current page informing the user that he will not be able to continue browsing the site until he fills up a survey. This, in effect, prevents the user from accessing the Facebook site.

The messages displayed by Win32/Yimfoca are part of the configuration data that it receives from one of its remote servers. Hence, the contents of the message may vary at any given time. Below are some samples of these messages:

  • Sample Message 1:
    Your Account as been suspended!
    The suspend will be released after 80 minutes
    The suspend will be disabled only if you fill out one survey!
    Please wait 80 minutes and tray again.
  • Sample Message 2:
    You have only 3 minutes to fill out the selected survey
    or you will be banned from this site.
    When you complete one survey Click Here
  • Sample Message 3:
    You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to this page.
  • Sample Message 4:
    The page is blocked!
    The block will be released after 80 minutes
    The block will be disabled only if you fill out one survey!
    Please wait 80 minutes and tray again.
  • Sample Message 5:
    You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to your account.
  • Sample Message 6:
    You have only 3 minutes to fill out the selected survey or you will not have access to your account.
    When you complete one survey Click Here

In addition, Yimfoca may also display these surveys if the affected user enters certain substrings in Internet Explorer's address bar. These substrings can either be hardcoded in the malware body or it could be reconfigurable just like the survey messages above. The following are some examples of these substrings that Yimfoca watches out for:

  • adobe
  • adult
  • aricl
  • bick
  • cpalead
  • daddie
  • drug
  • gay
  • geshac
  • hardcore
  • kanaa
  • mail
  • microsoft
  • myspace
  • outu
  • sex
  • tube
  • user:0
  • vidr
  • virus
  • window
  • xnxx
  • xvideos
  • XXX

Analysis by Gilou Tenebro


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • Your friends may report receiving an instant message from you similar to the following:
  • Your friends may report links on your Facebook profile that, when accessed, attempt to download a file, similar to the following:
  • The presence of the following files:
    %windir%\nvsvc32.exe
    %windir%\csrss.exe - note that a legitimate Windows file also named "csrss.exe" exists by default in the Windows system folder
  • The presence of the following registry modifications:

    In subkeys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

    Sets value: "NVIDIA driver monitor"
    With data: "%windir%\nvsvc32.exe"

    or:
    Sets value: "Windows System Devices Manager"
    With data: "%windir%\csrss.exe"

  • or:
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
    Sets value: "NVIDIA driver monitor"
    With data: "%windir%\nvsvc32.exe"

    or:
    Sets value: "Windows System Devices Manager"
    With data: "%windir%\csrss.exe"

  • The following program is allowed to bypass the Windows firewall:

    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    Sets value: "%windir%\nvsvc32.exe"
    With data: "%windir%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"

    or:
    Sets value: "%windir%\csrss.exe"
    With data: "%windir%\csrss.exe:*:Enabled:Windows System Devices Manager"

  • Your Internet Explorer home page has been changed to point to any of the following servers:
    • 142.45.183.3
    • 142.45.191.252
    • 142.45.191.249
    • redirecturls.info
  • Your Microsoft security product, such as Microsoft Security Essentials or Forefront Endpoint Protection, is not working properly.
  • Your browser may open to the MySpace website without any prompting from you.
  • If you open Internet Explorer to Facebook, you may receive any of the following messages, preventing you from accessing the site:
    • Sample Message 1:
      Your Account as been suspended!
      The suspend will be released after 80 minutes
      The suspend will be disabled only if you fill out one survey!
      Please wait 80 minutes and tray again.
    • Sample Message 2:
      You have only 3 minutes to fill out the selected survey
      or you will be banned from this site.
      When you complete one survey Click Here
    • Sample Message 3:
      You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to this page.
    • Sample Message 4:
      The page is blocked!
      The block will be released after 80 minutes
      The block will be disabled only if you fill out one survey!
      Please wait 80 minutes and tray again.
    • Sample Message 5:
      You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to your account.
    • Sample Message 6:
      You have only 3 minutes to fill out the selected survey or you will not have access to your account.
      When you complete one survey Click Here
  • If you enter any of the following strings on your Internet Explorer address bar, the same messages as above may also appear:
    • adobe
    • adult
    • aricl
    • bick
    • cpalead
    • daddie
    • drug
    • gay
    • geshac
    • hardcore
    • kanaa
    • mail
    • microsoft
    • myspace
    • outu
    • sex
    • tube
    • user:0
    • vidr
    • virus
    • window
    • xnxx
    • xvideos
    • XXX
  • Your Windows Task Manager may also not be functioning properly.

Prevention

Take the following steps to help prevent infection on your computer:
  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Limit user privileges on the computer.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to webpages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.
Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see http://www.microsoft.com/windows/antivirus-partners/.

Limit user privileges on the computer

Starting with Windows Vista and Windows 7, Microsoft introduced User Account Control (UAC), which, when enabled, allowed users to run with least user privileges. This scenario limits the possibility of attacks by malware and other threats that require administrative privileges to run.

You can configure UAC in your computer to meet your preferences:

Use caution when opening attachments and accepting file transfers

Exercise caution with email and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to webpages

Exercise caution with links to webpages that you receive from unknown sources, especially if the links are to a webpage that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a webpage with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see 'The risks of obtaining and using pirated software'.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software to compromise a computer, they also attempt to exploit vulnerabilities in human behavior to do the same. When an attacker attempts to take advantage of human behavior to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see 'What is social engineering?'.

Use strong passwords

Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least eight characters, and combines letters, numbers, and symbols. For more information, see http://www.microsoft.com/protect/yourself/password/create.mspx.


Alert level: Severe
This entry was first published on: Jun 09, 2011
This entry was updated on: Jun 09, 2011

This threat is also detected as:
No known aliases