Yanker is a very dangerous multicomponent worm-virus that spreads through via the internet as an RAR archive attached to infected emails.
Infected emails contain:
Subject: Hi,my new webpage ;o) E-mail body: Hi: Here is my new webpage.Please check it,and give Me some Advice. Attachment name: webpage.rar
The RAR archive contains the file webpage.htm and a subcatalogue named images where the main components of this virus are stored:
folder.htt (controls MS Explorer file and folder display settings - attributes: system/hidden) main_59.exe (dropper file, written in Delphi, packed by UPX (57KB), attributes: system/hidden) main_60.exe (PSW.PassDumper, packed with UPX (20k) - attributes: system/hidden)
The images folder also contains several harmless files in various formats, such as gif, css and more. These files are components of a webpage.
After unarchieving the infected RAR file the yanker worm can gain control of a user’s system in two ways: when the webpage.htm file is opened or when the images folder is viewed using MS Explorer.
However, in both cases the yanker worm utilizes the same CodeBaseExec exploit, attached to the end of the files to launch itself. The file (program) main_59.exe runs without victim users being able to notice anything.
The main_59.exe program ascertains the current ip address of the infected computer and stores it in a txt file (ip.txt). Then it extracts and launches the worm’s main component yankee.vbs – a file 4KB in size and written using Visual Basic Script. Simultaneously, the worm checks the system registry for the follwing key string:
If this string already exists, the worm ceases all activities.
The yankee.vbs script does the following: