Worm:Win32/Yimfoca.gen!C

Worm:Win32/Yimfoca.gen!C is a worm that spreads to other computers by using certain Instant Messaging (IM) programs. It sends a copy of itself disguised as a link to a codec required to watch a video. When run, it then attempts to stop and disable services including "wuauserv" (Windows Automatic Update) and "MsMpSvc" (Microsoft Malware Protection Service). It also attempts to delete "msseces.exe", a core component of Microsoft Security Essentials and Forefront Endpoint Protection.

Installation

When executed, Worm:Win32/Yimfoca.gen!C copies itself into the Windows folder using the following file name:

• nvsvc32.exe

It creates a mutex named "Nvidia Drive Mon" to avoid multiple instances of itself from running.

It modifies the system registry so that it automatically runs every time Windows starts:

In subkeys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "NVIDIA driver monitor"
With data: "%windir%\nvsvc32.exe"

Spreads via...

Instant messaging programs

Worm:Win32/Yimfoca.gen!C spreads by sending a link to a copy of itself to all of a user's contacts in the following IM programs:

• Yahoo! Messenger
• AOL Instant Messenger
• MSN/Live Messenger

The link includes a message saying that the link supposedly points to a video that requires a special codec for viewing. However, the codec is actually a copy of the worm.

Payload

Disables services

Worm:Win32/Yimfoca.gen!C may try to stop the following services:

• wuauserv - Windows Update Automatic Update service
• MsMpSvc - Microsoft Security Essentials and Forefront Endpoint Protection security service

It issues a "net stop" command to stop the above mentioned services. Worm:Win32/Yimfoca.gen!C configures the services to run manually by running the following commands:

sc config wuauserv start= disabled
sc config MsMpSvc start= disabled

Deletes file

Worm:Win32/Yimfoca.gen!C may attempt to terminate the following process:

• msseces.exe

Once the process is terminated, the malware deletes this file, which is a core component of Microsoft Security Essentials and Forefront Endpoint Protection. The removal of this file compromises the these security software.

Connects to an IRC server

Worm:Win32/Yimfoca.gen!C may connect to certain Internet Relay Chat (IRC) servers to receive additional commands to perform on the computer. For example, It can connect to the server "142.45.193.<one digit number>" via predefined ports.

Analysis by Wei Li