Email-Worm.Win32.Yanker

Class Email-Worm
Platform Win32
Description

Technical Details

Yanker is a very dangerous multicomponent worm-virus that spreads through via the internet as an RAR archive attached to infected emails.

Infected emails contain:

 Subject: Hi,my new webpage ;o) 
 E-mail body: Hi: 
 Here is my new webpage.Please check it,and give Me some Advice. 
 Attachment name: webpage.rar 
 

The RAR archive contains the file webpage.htm and a subcatalogue named images where the main components of this virus are stored:

folder.htt (controls MS Explorer file and folder display settings - attributes: system/hidden) 
main_59.exe (dropper file, written in Delphi, packed by UPX (57KB), attributes: system/hidden) 
main_60.exe (PSW.PassDumper, packed with UPX (20k) - attributes: system/hidden) 

The images folder also contains several harmless files in various formats, such as gif, css and more. These files are components of a webpage.

Installing,Spreading,Payload

After unarchieving the infected RAR file the yanker worm can gain control of a user’s system in two ways: when the webpage.htm file is opened or when the images folder is viewed using MS Explorer.

However, in both cases the yanker worm utilizes the same CodeBaseExec exploit, attached to the end of the files to launch itself. The file (program) main_59.exe runs without victim users being able to notice anything.

The main_59.exe program ascertains the current ip address of the infected computer and stores it in a txt file (ip.txt). Then it extracts and launches the worm’s main component yankee.vbs – a file 4KB in size and written using Visual Basic Script. Simultaneously, the worm checks the system registry for the follwing key string:

 
 HKCUSOFTWAREyankee 
 yankee=1 
 

If this string already exists, the worm ceases all activities.

The yankee.vbs script does the following:

  • Sends the ip.txt file with the infected computer’s IP address and all passwords found in the system (using PassDumper) to the following e-mail address:
      xdvirus@peoplemail.com.cn 
     
  • Sends its “webpage.RAR” archive to all the addresses found in the MS Outlook address book.
  • Writes the following key string into the Windows System Registry:
     HKCUSOFTWAREyankee 
     yankee=1 
     
  • Deletes all accessible non-system folders on hard and removable drives.