Win32/Yimfoca is a worm family that spreads via common instant messaging applications and social networking sites. It is capable of connecting to a remote HTTP or IRC server to receive updated configuration data. It also modifies certain system and security settings.
Installation
Win32/Yimfoca drops a copy of itself in any of the following folders:
- %Windir%
- %Public%
- %ProgramFiles%
In the wild, Win32/Yimfoca has been observed to use one of the following file names:
- nvsvc32.exe
- csrss.exe - note that a legitimate Windows file also named "csrss.exe" exists by default in the Windows system folder
Win32/Yimfoca also creates a mutex to prevent more than one instance of itself from running at a time. The following are some mutex names that Yimfoca has been observed to use in the wild:
- Nvidia Drive Mon
- Client Server Runtine Process
Win32/Yimfoca adds the following registry entries so that it can run every time Windows starts:
In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Sets value: "<Yimfoca registry entry>"
With data: "%Windir%\<Yimfoca file name>"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "<Yimfoca registry entry>"
With data: "%Windir%\<Yimfoca file name>"
In the wild, variants of the Win32/Yimfoca family have been seen using one of these combinations of file names and fake names for the registry modification:
Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"
or:
Sets value: "Windows System Devices Manager"
With data: "%windir%\csrss.exe"
After Win32/Yimfoca drops and installs a copy of itself, it opens a new Internet browser window to the "Browse" page of the social networking site Myspace and then terminates while its dropped copy continues running.
Spreads Via...
Instant messaging programs and social networking sites
Worm:Win32/Yimfoca spreads by sending malicious links to the user's contacts in any of the following instant messaging applications:
- AOL Instant Messenger
- MSN Messenger
- Skype
- Yahoo! Messenger
The links it sends out contain a copy of itself hosted in a remote server. Some servers that it includes in its propagation messages are:
- ialongsdor.net
- alynnprel.net
The following is a screenshot of a sample web site found to be hosting installers of Win32/Yimfoca:
It also posts malicious links to the user's friends on the social networking site Facebook.
It uses social engineering tricks to entice the users into running the malware. For instance, it may pose as a link to a photo or a video. Below is a screenshot of a sample instant message used by Yimfoca to propagate:
Payload
Modifies security settings
Win32/Yimfoca modifies Windows Firewall settings to gain access to the Internet. It does this by adding the following registry entry:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Sets value: "%windir%\<Yimfoca file name>"
With data: "%windir%\<Yimfoca file name>:*:Enabled:<Yimfoca file name>""
In the wild, Win32/Yimfoca has been observed using the following registry values and data:
Sets value: "%windir%\nvsvc32.exe"
With data: "%windir%\nvsvc32.exe:*:Enabled:NVIDIA driver monitor"
or
Sets value: "%windir%\csrss.exe"
With data: "%windir%\csrss.exe:*:Enabled:Windows System Devices Manager"
Some variants of Win32/Yimfoca may also disable the Windows Task Manager by modifying the following registry entry:
In Subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "1"
Modifies Internet Explorer settings
There are variants of Win32/Yimfoca that set the Internet Explorer Home page by modifying the following registry data:
In subkey:
HKCU\Software\Microsoft\Internet Explorer\mainSets value: "
Start Page"
To data: "<Yimfoca server>"
In the wild, variants of Win32/Yimfoca have been observed setting Internet Explorer's Home page to any one of these servers:
- 142.45.183.3
- 142.45.191.252
- 142.45.191.249
- redirecturls.info
Other variants of Win32/Yimfoca may also modify the following registry entries in an attempt to change the Internet Explorer Home page.
In subkeys:
HCR\HTTP\shell\open\command
HCR\https\shell\open\command
HCR\htmlfile\shell\open\command
Sets value: "@@''"
With data: "%ProgramFiles%\Internet explorer\iexplore.exe -nohome"
Terminates and disables services and processes
Worm:Win32/Yimfoca attempts to stop and disable Windows Update and the Microsoft Antimalware Service by running the following commands:
net stop wuauserv
net stop MsMpSvc
sc config wuauserv start = disabled
sc config MsMpSvc start = disabled
In addition, if it finds the Microsoft Security Client User Interface process running in the affected computer it attempts to terminate it and deletes the associated process file. The removal of this file compromises functionality of the security programs Microsoft Security Essentials and Forefront Endpoint Protection.
Connects to a remote server
Worm:Win32/Yimfoca has been observed attempting to connect to any of the following servers using predefined ports:
- 142.45.183.2
- 142.45.183.239
- 142.45.183.241
- 142.45.183.242
- 142.45.183.244
- 142.45.183.248
- 142.45.183.249
- 142.45.183.252
- 142.45.183.254
- 142.45.183.3
- 142.45.183.5
- 142.45.183.7
- 142.45.183.8
- 142.45.184.1
- 142.45.184.10
- 142.45.184.12
- 142.45.184.240
- 142.45.184.243
- 142.45.184.248
- 142.45.184.253
- 142.45.184.254
- 142.45.184.3
- 142.45.184.4
- 142.45.184.5
- 142.45.185.0
- 142.45.185.10
- 142.45.185.11
- 142.45.185.12
- 142.45.185.13
- 142.45.185.249
- 142.45.185.251
- 142.45.185.252
- 142.45.185.3
- 142.45.185.9
- 142.45.186.0
- 142.45.186.11
- 142.45.186.13
- 142.45.186.2
- 142.45.186.240
- 142.45.186.241
- 142.45.186.243
- 142.45.186.245
- 142.45.186.252
- 142.45.186.253
- 142.45.186.254
- 142.45.193.240
- 142.45.193.6
- 174.37.200.82
- 239.160.147.53
The remote computers above may contain an HTTP server, an IRC server, or both. If Worm:Win32/Yimfoca successfully establishes a connection with any of these servers, it receives configuration data, such as templates that it uses as the message when propagating (see "Spreads via..." section above) or the survey sample message it displays (see "Interrupts Internet Explorer browsing activity" payload section below).
Downloads and executes arbitrary files
Win32/Yimfoca has the capability to download and execute an arbitrary file. This file may either be an updated version of Win32/Yimfoca itself or it could be another malware.
Interrupts Internet Explorer browsing activity
If the user attempts to open the website "www.facebook.com", Win32/Yimfoca may display messages on top of the current page informing the user that he will not be able to continue browsing the site until he fills up a survey. This, in effect, prevents the user from accessing the Facebook site.
The messages displayed by Win32/Yimfoca are part of the configuration data that it receives from one of its remote servers. Hence, the contents of the message may vary at any given time. Below are some samples of these messages:
- Sample Message 1:
Your Account as been suspended!
The suspend will be released after 80 minutes
The suspend will be disabled only if you fill out one survey!
Please wait 80 minutes and tray again.
- Sample Message 2:
You have only 3 minutes to fill out the selected survey
or you will be banned from this site.
When you complete one survey Click Here
- Sample Message 3:
You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to this page.
- Sample Message 4:
The page is blocked!
The block will be released after 80 minutes
The block will be disabled only if you fill out one survey!
Please wait 80 minutes and tray again.
- Sample Message 5:
You have to complete one of these to confirm that you are not a robot. Otherwise you will not have access to your account.
- Sample Message 6:
You have only 3 minutes to fill out the selected survey or you will not have access to your account.
When you complete one survey Click Here
In addition, Yimfoca may also display these surveys if the affected user enters certain substrings in Internet Explorer's address bar. These substrings can either be hardcoded in the malware body or it could be reconfigurable just like the survey messages above. The following are some examples of these substrings that Yimfoca watches out for:
- adobe
- adult
- aricl
- bick
- cpalead
- daddie
- drug
- gay
- geshac
- hardcore
- kanaa
- mail
- microsoft
- myspace
- outu
- sex
- tube
- user:0
- vidr
- virus
- window
- xnxx
- xvideos
- XXX
Analysis by Gilou Tenebro