Trojan.Win32.Yakes.buh

From Total Malware Info

It is a trojan program that performs destructive actions on a user's computer. It is a Windows application (PE EXE-file). Its size is 57,480 bytes. It is written in C++.

MD5: E9DC8EBABDC9A2FD571885909DA8CC0D

SHA1: A7AC04CCC620A1703F20234CB27D11E70F49B4CC

Installation

The trojan copies its body to the Windows system directory. If it can't create a copy in the Windows system directory, the copy will be created in the temporary directory of the current user:

%System%\ms<rnd>.exe
%Temp%\ms<rnd>.exe

where <rnd> - any sequence of numbers and letters of the alphabet, for example, "vgzcjw" or "ngszup". In order to start automatically each time you start the system, the trojan creates a system service that runs its executable:

[HKLM\System\CurrentControlSet\Services\Network Adapter Events]

Payload

Once launched the trojan performs the following actions:

• It creates a unique identifier with the following name to control uniqueness of its process:

msrdp#v3.2.4

• It stops and deletes the following services:

Norton Antivirus Service
Panda Antivirus
Detector de OfficeScanNT
McAfee Framework Service
sharedaccess
OutpostFirewall
lnsfw1
sfilter
SmcService
UmxPol
UmxLU
UmxAgent
UmxCfg
kmxagent
kmxbig
kmxcfg
kmxfile
kmxfw
kmxids
kmxndis
kmxsbx
ZoneAlarm
vsmon
vsdatant
IswSvc
ISWKL
klif
klpf
klpid
kl1
WinDefend
MpsSvc
BFE
F-Secure Filter
F-Secure Gatekeeper
F-Secure HIPS
F-Secure Recognizer
fsbts
FSFW
F-Secure Gatekeeper Handler Starter
FSDFWD
FSMA
FSORSPClient

• It creates a user named:

TermUser

and adds this user to the groups:

Administrators
Remote Desktop Users

• It disables the display of the user's name in the Welcome Screen. For this purpose it creates the registry key:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"TermUser" = "0"

• It scans removable drives, and copies the files which extensions are different from the following:

7z
ace
ain
arc
arh
ari
arj
ark
boo
bz2
bzip
bzip2
deb
dist
gzip
hpk
ice
lha
lzh
lzma
pack.gz
package
pak
pkg
r00
r01
r02
r03
r21
r30
rar
rpm
tar
tar.xz
tbz
tbz2
tgz
uha
wad
zip
zoo
aac
aax
ac3
acm
aif
aifc
aiff
amf
amr
ams
amz
ape
apf
cda
cdda
cdr
dts
dtshd
flac
m1a
m3u
m4a
m4b
m4p
m4r
mid
midi
miniusf
mka
mod
mp_
mp1
mp2
mp3
mpa
mpc
mpga
ogg
pcm
pls
ram
snd
voc
vox
wav
wave
wma
wpk
wproj
3g2
3gp
3gp2
3gpp
amv
amx
asf
asx
avi
d3v
divx
dv4
dvr-ms
dvx
flc
flv
hdmov
ifo
imoviep
m1pg
m1v
m21
m2a
m2t
m2ts
m2v
m4e
m4u
m4v
mj2
mjp
mjpg
mkv
mov
movie
mp21
mp2v
mp4
mp4v
mpeg
mpeg4
mpg
mpg2
msdvd
mswmm
ogm
ogv
ogx
playlis
prproj
qtch
rts
swf
vid
vob
vp3
vp6
vp7
wmmp
wmv
wmx
wp3
xvid
ac5
ac6
acr
catpart
exif
ilbm
ithmb
jiff
kodak
odif
picnc
pictclipping
pspimage
qtif
spiff
suniff
tddd
trif
xbm
xpm
agif
albm
apng
art
artwork
blkrt
bm2
bmp
djvu
icon
ico
jb2
jpe
jpeg
jpg
pcx
png
psd
sumo
thumb
tif
tiff
wbmp
gif
design
drwdot
emf
eps
epsf
fh10
fh11
ft10
ft11
slddrt
slddrw
svg
3dmf
3ds
3dxml
asat
blend
catproduct
dwg
md5anim
md5mesh
model
sldasm
sldprt
truck
openbsdcmd
bat
ex_
exe
exopc
gadget
jse
pif
vbs
vbscript
widget
dll

Also this files must be smaller than 10 MB. The trojan saves the copies in the directory:

%System%\storage\<rnd>\

where <rnd> - volume serial number of a removable media.

• It checks for a connection to the Internet by accessing the following URLs:

www.microsoft.com
www.yahoo.com
www.msn.com

• To receive commands, the trojan sends the request to one of the following URLs:

z***b-went.info
oc***a-tcipty.com
oc***a-tc.info
h***j-emvbim.com
e***g-bjsyfjoqt.info
e***g-bjsyf.com
xl***ju-lrychj.info
xl***ju-lr.com
m***o-jragnrw.info
m***o-jra.com
f***hrc-tzgk.info
cq***oz-qwdhmor.com
cq***oz-qwd.info
vj***h-ajpwafh.com
vj***h-ajp.info
ky***wh-yelpu.com
ky***wh-y.info
dr***p-irxei.com
ao***m-foubfkmp.info
a***cm-foub.com
th***-qyhnuydf.info

The sent request contains the information about a user's computer, such as system locale, serial number of the volume of the system drive, computer name, user name, information that the trojan gets from the following registry keys:

[HKLM\Software\Microsoft\Cryptography]
"MachineGuid"
 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"ProductId"
 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"DigitalProductId"
 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion]
"InstallDate"

as well as information about the installed security software from the following list:

Webroot
Sophos
Clam Antivirus
ClamWin
Avast 5
avast!

that the trojan gets from the following keys in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall]

• The trojan saves its settings in an encrypted form in the registry key:

[HKLM\Software\Microsoft\TermServMonitor]

Following an attacker's command the trojan can download updates, download and execute components designed to provide access to the infected computer via RDP (Remote Desktop) protocol, as well as component for logging user actions.

The downloaded files are stored in the temporary directory of the current user:

%Temp%\win<rnd1>.tmp

where <rnd1> - any sequence of numbers and letters of the alphabet.

If the downloaded file is an archive containing the components to install, the trojan will create the directory and place the extracted files to this directory:

%Temp%\b<rnd2>\

where <rnd2> - any sequence of numbers and letters of the alphabet.

Then the trojan will install the downloaded components.

Removal Instructions

If your computer was not protected by an antivirus and was infected with this malware, follow these steps to remove it:

1. Using the system Task Manager terminate the trojan process.

2. Delete the original trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).

3. Remove the following registry keys:

[HKLM\Software\Microsoft\TermServMonitor]
 
[HKLM\System\CurrentControlSet\Services\Network Adapter Events]
 
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
"TermUser" = "0"

4. Remove the following files and directories:

%System%\ms<rnd>.exe
%Temp%\ms<rnd>.exe
%Temp%\win<rnd1>.tmp
%Temp%\b<rnd2>\

5. Remove the following user from the system:

TermUser

6. Perform a full system scan with an antivirus with updated databases.