Virus Messenger - Firewall is damaged by the Yahlover worm
The Yahlover.DH worm spreads through network shares and seeks to disable the firewall on computers.
A Yahlover.DH The worm spreads primarily through network drives or shares. The worm makes a lot of changes to the registry. For example, you create or modify new entries and delete keys. Among other things, you can prevent Windows Explorer from displaying all the files you use to hide in Windows Explorer. It also makes changes to bypass Windows' built-in firewall.
Yahlover.DH downloads and installs additional malware on infected computers via the Internet.
When the Yahlover.DH worm starts, it performs the following actions:
- Create the following files:
% System% \ csrcs.exe
% System% \ autorun.inf - The following entries are added to the registration database:
HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer \ Run \
csrcs = “%System%\csrcs.exe”
HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \
Shell = “Explorer.exe csrcs.exe”
HKLM\SOFTWARE\Microsoft\DRM\amty\fix = “”
HKLM \ SOFTWARE \ Microsoft \ DRM \ amty \ exp1 = [random characters]
HKLM \ SOFTWARE \ Microsoft \ DRM \ amty \ dreg = [random characters]
HKLM \ SOFTWARE \ Microsoft \ DRM \ amty \ kiu = [random characters]
HKLM \ SOFTWARE \ Microsoft \ DRM \ amty \ eggol = [random characters]
HKLM \ SOFTWARE \ Microsoft \ DRM \ amty \\\ egexp = [random characters] - It queries the IP address of the infected computer.
- You are trying to infect additional computers over a network. Copies files with a random file name to these.
- It downloads malicious programs over the Internet.
- Disables the Windows built-in firewall:
HKLM \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \
StandardProfile \ AuthorizedApplications \ List \
[worm filename] = [worm filename]: *: Enabled: Windows Life Messenger - To disable any NOD32 security software that may be running, modify the registry:
HKLM \ SOFTWARE \ ESET \ Nod \ CurrentVersion \ Modules \ AMON \ Settings \
Config000 \ Settings \ media_network = dword: 00000000
HKLM \ SOFTWARE \ ESET \ Nod \ CurrentVersion \ Modules \ AMON \ Settings \
Config000 \ Settings \ exc = […]
HKLM \ SOFTWARE \ ESET \ Nod \ CurrentVersion \ Modules \ AMON \ Settings \
Config000 \ Settings \ exc_num = dword: 0000000c - The following entries are deleted from the registration database:
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies
HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Ratings
HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ system - Modify the following values in the registry:
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
Hidden = dword: 00000002
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
SuperHidden = dword: 00000000
HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
ShowSuperHidden = dword: 00000000
HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \
Folder \ Hidden \ SHOWALL \ CheckedValue = dword: 00000001
This hides files in Windows Explorer that are hidden and have system attributes.