My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.VB.Yusa.A

LOW
LOW
172,032 bytes
(Trojan.Win32.VB.ZU, Troj/Yusufali-A, TROJ_CAGER.A)

Symptoms

- Various images displayed (see below)

- Registry Editor is minimized to taskbar

- Presence of the next registry keys or entries:

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"LoadService"="Virus"]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"RavTimeX"="Virus"]

    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"System4224411"="Virus"]


Removal instructions:


- automatic removal: let BitDefender delete/disinfect files found infected. - manual removal: terminate the process "Yahosin" and delete the file.

Analyzed By

Patrik Vicol, Bitdefender Virus Researcher

Technical Description:

This trojan may arrive on the infected computer:

- downloaded from internet
- dropped by malware

It is compiled in Visual Basic 6 and will run on almost all Windows platforms upt to Windows XP.

Once run, it creates the registry keys mentioned in Symptoms.
However, this is pointless, since they do not point to a valid file, thus, the virus will only be run one time, due to a bug in the code.

It remains resident and will monitor user activities, as process "Yahosin" as seen in Windows Task Manager:

YSA0

running event-based triggered tasks as:

- if the current window contains (case sensitive)
    Registry Editor
the window will be automatically minimised in a few seconds. Thus, Windows Registry Editor is directly affected by this behaviour.

- if the current window (of any application) contains any of the words (case sensitive):
    xx
    sex
    teen
    Phallus
    jeggar
    Priapus
    Phallic
    Penis
    Exhibitionism
it will be minimised in a few seconds, and will display two images.
First, this image:

YSA1


and if [Next] is clicked or after a few seconds, the second image:


YSA2


After several runs ("T=" counts times run), it will display:


YSA3


And if the mouse moves over that box, the next window is displayed:


YSA4


not allowing the mouse to move outside the displayed box.

If any of the buttons is clicked, a log off will be performed.

However, the keyboard is still active, and the virus can be terminated in Windows Task Manager.