- Various images displayed (see below)
- Registry Editor
is minimized to taskbar
- Presence of the next registry keys or entries:
- automatic removal: let BitDefender delete/disinfect files found infected.
- manual removal: terminate the process "Yahosin" and delete the file.
Patrik Vicol, Bitdefender Virus Researcher
This trojan may arrive on the infected computer:
- downloaded from internet
- dropped by malware
It is compiled in Visual Basic 6 and will run on almost all Windows platforms upt to Windows XP.
Once run, it creates the registry keys mentioned in Symptoms
However, this is pointless, since they do not point to a valid file, thus, the virus will only be run one time, due to a bug in the code.
It remains resident and will monitor user activities, as process "Yahosin
" as seen in Windows Task Manager:
running event-based triggered tasks as:
- if the current window contains (case sensitive)
the window will be automatically minimised in a few seconds. Thus, Windows Registry Editor
is directly affected by this behaviour.
- if the current window (of any application) contains any of the words (case sensitive):
it will be minimised in a few seconds, and will display two images.
First, this image:
and if [Next] is clicked or after a few seconds, the second image:
After several runs ("T=" counts times run), it will display:
And if the mouse moves over that box, the next window is displayed:
not allowing the mouse to move outside the displayed box.
If any of the buttons is clicked, a log off will be performed.
However, the keyboard is still active, and the virus can be terminated in
Windows Task Manager.