W32.Yahack.A

4 October 2007 Worm 0 Comment

W32.Yahack.A propagates via unsecured mapped drives on computer networks. W32.Yahack.A can steal sensitive information by logging keystrokes, gathers system information, and steals Yahoo! Messenger passwords. It will store the gathered data to LogBoy.log under Windows directory and send later to a predefined e-mail address.

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Remove W32.Yahack.A with System Restore:

If a virus have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with W32.Yahack.A, please restore Windows to previous configuration.

Manual Removal of W32.Yahack.A:

1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.

3. Thoroughly scan the system and clean/delete all infected file(s).
4. Delete/Modify any values added to the registry if present.
- Click on Start. Search or Run regedit.exe to begin registry editor.

Note: You may refer to links on sidebar for a complete tutorial on Safe Mode and Registry Editor.

5. Exit registry editor and restart Windows.

Other useful Tools:

Online Virus Scanner:
It is best to scan computer using free Online Virus Scanner. It can be used without the need to install additional antivirus application.

Technical Details and Additional Information:

Additional payload of W32.Yahack.A:
- This worm will record key strokes and mouse clicks from the compromised computer.
- It will drop additional threat or Trojan Horse on %SystemDrive%\a1.exe.

Malicious Files Added:
%CurrentFolder%\autorun.inf
%System%\UpDateWinc.exe
%System%\UpDateWind.exe
%SystemDrive%\a1.exe
%SystemDrive%\tem.exe
%SystemDrive%\temp1.bat

W32.Yahack.A Associated Windows Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\Windows\”run” = “%System%\UpDateWinc.exe”

What to do next...