Trojan.VB.Yusa.A
LOW
LOW
172,032 bytes
(Trojan.Win32.VB.ZU, Troj/Yusufali-A, TROJ_CAGER.A)
Symptoms
- Various images displayed (see below)
- Registry Editor is minimized to taskbar
- Presence of the next registry keys or entries:
- Registry Editor is minimized to taskbar
- Presence of the next registry keys or entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"LoadService"="Virus"]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"RavTimeX"="Virus"]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"System4224411"="Virus"]
Removal instructions:
- automatic removal: let BitDefender delete/disinfect files found infected. - manual removal: terminate the process "Yahosin" and delete the file.
Analyzed By
Patrik Vicol, Bitdefender Virus Researcher
Technical Description:
This trojan may arrive on the infected computer:- downloaded from internet
- dropped by malware
It is compiled in Visual Basic 6 and will run on almost all Windows platforms upt to Windows XP.
Once run, it creates the registry keys mentioned in Symptoms.
However, this is pointless, since they do not point to a valid file, thus, the virus will only be run one time, due to a bug in the code.
It remains resident and will monitor user activities, as process "Yahosin" as seen in Windows Task Manager:
running event-based triggered tasks as:
- if the current window contains (case sensitive)
- Registry Editor
- if the current window (of any application) contains any of the words (case sensitive):
-
xx
sex
teen
Phallus
jeggar
Priapus
Phallic
Penis
Exhibitionism
First, this image:
and if [Next] is clicked or after a few seconds, the second image:
After several runs ("T=" counts times run), it will display:
And if the mouse moves over that box, the next window is displayed:
not allowing the mouse to move outside the displayed box.
If any of the buttons is clicked, a log off will be performed.
However, the keyboard is still active, and the virus can be terminated in Windows Task Manager.
SHARE
THIS ON