W32.Yalove.F is a computer worm that typically spread via Yahoo! Instant Messenger program. It copies itself to all hard drives and removable drives it may found of the infected computer. This worm may also connect to a remote location to download more threats. It can disable certain Windows system tools and security programs. The worm brings potential damages that can lead to failure of some programs.
Alias: W32/Shahrokh-A, Worm.Win32.AutoRun.dpc, Win32/AutoRun.MC
Damage Level: Low
Systems Affected: Windows 9x, 2000, XP, Windows Vista
On first execution, W32.Yalove.F will drop a couple of executable files inside Windows System folder. It also infects all drives by placing “auto.exe” and “autorun.inf” which allows the worm to run when user accesses the drive. To gain more strength and overpower the system, the worm adds entry to system registry and modifies existing settings. These changes will allow the threat to run each time Windows starts. Additional registry entries in places on the system will perform the following actions:
- Redirect Internet browser to myebuddy.com
- Disable task manager and folder options
- Set a different homepage for the affected browser
- Ends processes that are included in its block list
This worm occasionally connects to various URLs and tries to update itself by downloading files from that location. It may also reduce current security settings of the infected computer by ending any processes that belongs to anti-virus programs.
W32.Yalove.F spreads via Yahoo! Instant Messaging application. It will gather contact details on the compromised PC and uses this information to mass-send a message containing malicious links that points to a site where visitors may be infected with the worm.