Follow:

 

Worm:Win32/Yoybot.gen


Worm:Win32/Yoybot.gen is a generic detection for a family of malicious IRC bots that are able to spread through removable drives and file sharing networks.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Additional recovery steps
This threat may make lasting changes to an affected system’s configuration that will NOT be restored by detecting and removing this threat. For more information on returning an affected system to its pre-infected state, please see the following article/s: 

Threat behavior

Worm:Win32/Yoybot.gen is a generic detection for a family of malicious IRC bots that are able to spread through removable drives and file sharing networks.
Installation
Files detected as Worm:Win32/Yoybot.gen may use the following file names to copy themselves in the Windows folder:
 
algs.exe
antivir.exe
blah.exe
christmas-2007
coultca.exe
counter strike source crack.exe
d3dx9_373.dll
darbe.exe
dark ddos tool.exe
dcom exploit.exe
devic.exe
devicer.exe
devices.exe
divx pro + keygen.exe
e2x.exe
ede.exe
explors.exe
filename.exe
gvpqij.exe
happy2008.exe
hotmail cracker.exe
hotmail hacker.exe
iexplorer.exe
isssm.exe
itunehelper.exe
kacir.bin
kacir.dll
kaspersky crack.exe
kca.exe
keylogger.exe
l0pht 4.0 windows password cracker.exe
lcass.exe
limewire pro final edition.exe
mgrmsn.exe
microsoft visual basic keygen.exe
microsoft visual c++ keygen.exe
microsoft visual studio keygen.exe
mozilla.exe
msgplus.exe
msgsrv32.exe
msmsgrsu.exe
msn keylogger.exe
msn password cracker.exe
msn password stealer.exe
msnmsgupdater.exe
msnmsngr.dll
msnnmsgr.exe
msnsgrs.exe
msnwsp.exe
mssvc.exe
mswinmsd.exe
netbios cracker.exe
netbios hacker.exe
norton antivirus all versions crack.exe
older man and young boy.scr
osmanemre.exe
rdshost.dll
samp gta multiplayer.exe
scvhost.exe
scvhots.exe
sdbot with netbios spread.exe
service.exe
shvhost.exe
spore crack.exe
spore full patcher.exe
steam crack.exe
steam keygen.exe
sub7 2.3 private.exe
svchost.exe
svhost.exe
svshost32.exe
sys1.exe
sys2.exe
taskmrg.exe
teen sex.scr
temp:0ff69b57
test.exe
usb-driver.com
usb_driver.exe
winamp.exe
winboolxp2.exe
windows password cracker.exe
windows xp validator crack.exe
windowxdll.dll
wings.exe
winlogin.exe
winmsg.exe
winsys.exe
wint.exe
winup.exe
wupdat.exe
wupdatemgr32.exe
x0r.exe
young boy nude.scr
young girl and boy sex.scr
young girl first time.scr
young girl nude.scr
youtube account cracker.exe
zjkhajgh.exe
 
Files detected as Worm:Win32/Yoybot.gen have also been found to insert itself into existing RAR archives. It may also archive copies of itself into a ZIP file with file names such as the following:
 
file0035.zip
image2008.zip
image51257-2008.zip
imagenessexo.zip
img1-15-2008.zip
img104185.zip
img104285.zip
img104385.zip
img1043vv.zip
img2007-12.zip
img5-2007.zip
imgi04q85.zip
kontor.zip
lolpic.zip
new-year2008-imgaes.zip
photo album.zip
photo-354422.myspace.com.zip
photos1-2008.zip
pics.zip
resimler.zip
resimlerim.zip
 
Most files also add a registry entry to enable a worm copy to run whenever Windows starts.
Spreads via...
Removable drives
Worm:Win32/Yoybot.gen may spread by dropping a copy of itself and the initialization file 'autorun.inf' in all removable drives. The worm copy is dropped in the following created subfolder:
 
<drive>:\driver\usb
 
The initialization file is designed to automatically run the worm copy when the drive is accessed and Autorun is enabled.
 
File-sharing programs
 
Files detected as Worm:Win32/Yoybot.gen may copy itself in folders that are known to be used by file-sharing programs, such as the following:
 
%ProgramFiles%\bearshare\shared
%ProgramFiles%\edonkey2000\incoming
%ProgramFiles%\emule\incoming
%ProgramFiles%\grokster\my grokster
%ProgramFiles%\icq\shared folder
%ProgramFiles%\kazaa lite k++\my shared folder
%ProgramFiles%\kazaa lite\my shared folder
%ProgramFiles%\kazaa\my shared folder
%ProgramFiles%\limewire\shared
%ProgramFiles%\morpheus\my shared folder
%ProgramFiles%\tesla\files
%ProgramFiles%\winmx\shared
 
This ensures that when the file-sharing program is used, the worm copy is automatically shared and is accessible to users in other systems.
Payload
Allows backdoor access and control
In the wild, Worm:Win32/Yoybot.gen are seen connecting to IRC servers such as the following:
 
64.18.147.44
79.125.11.206
81.169.167.11
acid.dyndns.net
b3st.yi.org
botnetim.no-ip.biz
cod.sohbetodasi.info
colpha.no-ip.biz
dangerz.lamersgroup.net
darksheekz.opendns.be
essalami.dyndns.org
fuckyou.bounceme.net
http.xn
irc-irc.homeunix.net
irc.Arkadassec.com
irc.diboo.net
irc.hatunporn.com
irc.hopam.net
irc.itexltd.com
irc.lonelyness.info
irc.msngrils.com
irc.NeoBotNet.Net
irc.opera.com
irc.sexbul.info
irc.thedetested.com
irc.webmaster.com
irc.xstr.info
irc.yourirc.com
irc2.scan.ed-by.me.uk
irc2.servebeer.com
ircplus.hopto.org
join.sohbetini.net
karkar.soulsanctuary.info
mg-kka.com
msn.petegim.net
msnbots.hopto.org
pimpampum.laweb.es
secure.bindshell.info
sleepy.bb-renaissance.com
speed.redirectme.net
spees.bpa.nu
ss.nx.hh.multi-sonic.eu
sscxl.homelinux.net
usb.princ.ch
worm.emriz.com
xuk.womeniser.info
 
It may listen in for commands from a remote attacker to perform the following actions:
 
  • Send chat messages
  • Perform distributed denial-of-service attacks to a specified server
  • Download and update a worm copy
 
Modifies firewall settings
Worm:Win32/Yoybot.gen may modify firewall settings to add the worm process to the Firewall policy exception list. This enables the worm process to access the network.
 
It may do this by adding the following registry entry:
 
Adds value: "<malware file>"
With data: "<malware file>:*:enabled:windows services"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
Analysis by Jireh Sanico

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    algs.exe
    antivir.exe
    blah.exe
    christmas-2007
    coultca.exe
    counter strike source crack.exe
    d3dx9_373.dll
    darbe.exe
    dark ddos tool.exe
    dcom exploit.exe
    devic.exe
    devicer.exe
    devices.exe
    divx pro + keygen.exe
    e2x.exe
    ede.exe
    explors.exe
    filename.exe
    gvpqij.exe
    happy2008.exe
    hotmail cracker.exe
    hotmail hacker.exe
    iexplorer.exe
    isssm.exe
    itunehelper.exe
    kacir.bin
    kacir.dll
    kaspersky crack.exe
    kca.exe
    keylogger.exe
    l0pht 4.0 windows password cracker.exe
    lcass.exe
    limewire pro final edition.exe
    mgrmsn.exe
    microsoft visual basic keygen.exe
    microsoft visual c++ keygen.exe
    microsoft visual studio keygen.exe
    mozilla.exe
    msgplus.exe
    msgsrv32.exe
    msmsgrsu.exe
    msn keylogger.exe
    msn password cracker.exe
    msn password stealer.exe
    msnmsgupdater.exe
    msnmsngr.dll
    msnnmsgr.exe
    msnsgrs.exe
    msnwsp.exe
    mssvc.exe
    mswinmsd.exe
    netbios cracker.exe
    netbios hacker.exe
    norton antivirus all versions crack.exe
    older man and young boy.scr
    osmanemre.exe
    rdshost.dll
    samp gta multiplayer.exe
    scvhost.exe
    scvhots.exe
    sdbot with netbios spread.exe
    service.exe
    shvhost.exe
    spore crack.exe
    spore full patcher.exe
    steam crack.exe
    steam keygen.exe
    sub7 2.3 private.exe
    svchost.exe
    svhost.exe
    svshost32.exe
    sys1.exe
    sys2.exe
    taskmrg.exe
    teen sex.scr
    temp:0ff69b57
    test.exe
    usb-driver.com
    usb_driver.exe
    winamp.exe
    winboolxp2.exe
    windows password cracker.exe
    windows xp validator crack.exe
    windowxdll.dll
    wings.exe
    winlogin.exe
    winmsg.exe
    winsys.exe
    wint.exe
    winup.exe
    wupdat.exe
    wupdatemgr32.exe
    x0r.exe
    young boy nude.scr
    young girl and boy sex.scr
    young girl first time.scr
    young girl nude.scr
    youtube account cracker.exe
    zjkhajgh.exe
    file0035.zip
    image2008.zip
    image51257-2008.zip
    imagenessexo.zip
    img1-15-2008.zip
    img104185.zip
    img104285.zip
    img104385.zip
    img1043vv.zip
    img2007-12.zip
    img5-2007.zip
    imgi04q85.zip
    kontor.zip
    lolpic.zip
    new-year2008-imgaes.zip
    photo album.zip
    photo-354422.myspace.com.zip
    photos1-2008.zip
    pics.zip
    resimler.zip
    resimlerim.zip

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Oct 29, 2009
This entry was updated on: May 21, 2010

This threat is also detected as:
  • Win32/Rbot.JPR (CA)
  • Worm.Win32.AutoRun.fmx (Kaspersky)
  • W32/AutoRun.SND (Norman)
  • Worm.AutoRun.NDD (VirusBuster)
  • Win32/AutoRun.IRCBot.Y (ESET)
  • W32/Autorun.worm!a (McAfee)
  • W32/AutoRun.DJ.worm (Panda)