Threat behavior
Worm:Win32/YahLover.J is a worm that spreads by copying itself to logical drives.
Installation
When executed, Worm:Win32/YahLover.J copies itself as a hidden file to the Windows directory using a filename that differs according to minor variant. Some examples of known file names used by the worm include the following:
It makes the following registry modification to run this copy as the system boots:
Adds value: "Userinit"
With data: "userinit.exe,<Win32/YahLover file name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It displays a message box with the title "Gotcha!!!!" as in the following example:
Worm:Win32/YahLover.J also creates a batch file, system.bat, in the Windows directory. This batch file restarts the affected computer after 50 minutes has elapsed.
Spreads via…
Logical drives
Worm:Win32/YahLover.J enumerates all drives in the affected system and copies itself using a variable filename to the root of all writeable drives. It also writes an autorun configuration file named 'autorun.inf' pointing to these files. When the removable or networked drive is accessed from another machine supporting the Autorun feature, Worm:Win32/YahLover.J is launched automatically.
Payload
Modifies system settings
Worm:Win32/YahLover.J makes the following modifications to the affected computer's registry:
Adds value: "HideFileExt"
With data: 1
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "Hidden"
With data: 2
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "ShowSupperHidden"
With data: 0
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "autorun"
With data: "%windir%\system.bat"
To subkey: HKCU\Software\Microsoft\Command Processor
Adds value: ""
With data: maskrider2001@yahoo.com
To subkey: HKCU\Software\BLACKSUN
Analysis by Marian Radu
Prevention