Win32/Yeltminky is a family of worms that spreads by making copies of itself on all available drives and creating an autorun.inf file to execute that copy.
Installation
When executed the malware makes a copy of itself in one of the following locations:
- %USERPROFILE%\<file name>.exe
- %windir%\fonts\<file name>.fon
It may also copy itself to a secondary location.
The file name used, and the secondary location it copies itself to, is supplied as part of configuration data stored in the malware file, for example:
- %USERPROFILE%\auto.exe
- %ProgramFiles%\common files\auto.exe
The malware also drops a DLL component to one of the following locations:
- %USERPROFILE%\<random file name>.drv
- %USERPROFILE%\<random file name>.fon
The file name is randomly generated and the file extension may vary, for example:
- %USERPROFILE%\jmfxs.drv
- %windir%\fonts\evngj.fon
The DLL component may then drop a driver component with a random name in one of the following locations:
- %USERPROFILE%\<random file name>
- %windir%\fonts\<random file name>.fon
Once the driver is loaded, the file is deleted.
The worm modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "auto"
With data: "%ProgramFiles%\common files\auto.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Sets value: "SysAnti"
With data: "%ProgramFiles%\common files\sysanti.exe"
The malware can also contact a remote host to provide notification of a successful infection. The host URL is provided in the configuration data.
Spreads via...
Networked and removable drives
The malware checks for all drives available from A: to Z:, and if found, it makes a copy of itself in the root directory of the drive and creates a corresponding autorun.inf file to ensure its execution.
The file name the malware uses to copy itself to is provided in configuration data stored in the malware, for example:
- <Drive>:\sysanti.exe
- <Drive>:\autorun.inf
Payload
Downloads and executes arbitrary files
The malware connects to a remote host, where it obtains a list of files to download and execute.
It then proceeds to download and execute each file. The downloaded files are written to the %Temp% directory.
Terminates processes
The malware carries a list of processes which it terminates if found executing on the infected computer. It does this by dropping the DLL component which is injected into a newly created "svchost.exe" process (the DLL component in turn drops and installs the driver).
The following is a non-exhaustive list of processes that are targeted:
- 360deepscan
- 360hotfix
- 360rp
- 360rpt
- 360Safe
- 360safebox
- 360sd
- 360tray
- adam
- AgentSvr
- AntiArp
- AppSvc32
- arvmon
- AutoGuarder
- autoruns
- avgrssvc
- AvMonitor
- avp
- avp.com
- CCenter
- ccSvcHst
- DSMain
- egui
- ekrn
- FileDsty
- findt2005
- FTCleanerShell
- HijackThis
- IceSword
- iparmo
- Iparmor
- IsHelp
- isPwdSvc
- kabaload
- KaScrScn.SCR
- KASMain
- KASTask
- KAV32
- KAVDX
- KAVPFW
- KAVSetup
- KAVStart
- killhidepid
- KISLnchr
- kissvc
- KMailMon
- KMFilter
- KPFW32
- KPFW32X
- KPFWSvc
- KRepair.COM
- krnl360svc
- KsLoader
- kswebshield
- KVCenter.kxp
- KvDetect
- kvfw
- KvfwMcl
- KVMonXP.kxp
- KVMonXP_1.kxp
- kvol
- kvolself
- KvReport.kxp
- KVScan.kxp
- KVSrvXP
- KVStub.kxp
- kvupload
- kvwsc
- KvXP.kxp
- KvXP_1.kxp
- KWatch
- KWatch9x
- KWatchX
- LiveUpdate360
- loaddll
- MagicSet
- mcconsol
- mmqczj
- mmsk
- NAVSetup
- nod32krn
- nod32kui
- PFW
- PFWLiveUpdate
- QHSET
- Ras
- Rav
- RavCopy
- RavMon
- RavMonD
- RavStore
- RavStub
- ravt08
- RavTask
- RegClean
- RegEx
- rfwcfg
- RfwMain
- rfwolusr
- rfwProxy
- rfwsrv
- RsAgent
- Rsaupd
- RsMain
- rsnetsvr
- RSTray
- runiep
- safebank
- safeboxTray
- safelive
- scan32
- ScanFrm
- shcfg32
- smartassistant
- SmartUp
- SREng
- SREngPS
- SuperKiller
- symlcsvc
- syscheck
- Syscheck2
- SysSafe
- ToolsUp
- TrojanDetector
- Trojanwall
- TrojDie.kxp
- UIHost
- UmxAgent
- UmxAttachment
- UmxCfg
- UmxFwHlp
- UmxPol
- UpLive
- WoptiClean
- ZhuDongFangYu
- zxsweep
The malware also checks for the following substrings in a process in order to terminate it:
- AutoRun
- IceSword
- NOD32
- SysCheck
- 冰刃
- 杀软
- 诺顿
- 卡巴
- 毒霸
- 江民
- 清道夫
- 瑞星
- 木马
- 病毒
- 杀毒
- 绿鹰
- 专杀
- 组策略
- 防火墙
- 安全卫士
- 清理专
- 云安全
Modifies system settings
The malware creates the following registry entry:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
and uses it to prevent the execution of the following files:
- 360hotfix.exe
- 360rpt.exe
- 360Safe.exe
- 360safebox.exe
- 360tray.exe
- adam.exe
- AgentSvr.exe
- AntiArp.exe
- AppSvc32.exe
- arvmon.exe
- AutoGuarder.exe
- autoruns.exe
- avgrssvc.exe
- AvMonitor.exe
- avp.com
- avp.exe
- CCenter.exe
- ccSvcHst.exe
- FileDsty.exe
- findt2005.exe
- FTCleanerShell.exe
- HijackThis.exe
- IceSword.exe
- iparmo.exe
- Iparmor.exe
- IsHelp.exe
- isPwdSvc.exe
- kabaload.exe
- KaScrScn.SCR
- KASMain.exe
- KASTask.exe
- KAV32.exe
- KAVDX.exe
- KAVPFW.exe
- KAVSetup.exe
- KAVStart.exe
- killhidepid.exe
- KISLnchr.exe
- KMailMon.exe
- KMFilter.exe
- KPFW32.exe
- KPFW32X.exe
- KPFWSvc.exe
- KRepair.COM
- KsLoader.exe
- KVCenter.kxp
- KvDetect.exe
- kvfw.exe
- KvfwMcl.exe
- KVMonXP.kxp
- KVMonXP_1.kxp
- kvol.exe
- kvolself.exe
- KvReport.kxp
- KVScan.kxp
- KVSrvXP.exe
- KVStub.kxp
- kvupload.exe
- kvwsc.exe
- KvXP.kxp
- KvXP_1.kxp
- KWatch.exe
- KWatch9x.exe
- KWatchX.exe
- LiveUpdate360.exe
- loaddll.exe
- MagicSet.exe
- mcconsol.exe
- mmqczj.exe
- mmsk.exe
- NAVSetup.exe
- nod32krn.exe
- nod32kui.exe
- PFW.exe
- PFWLiveUpdate.exe
- QHSET.exe
- Ras.exe
- Rav.exe
- RavCopy.exe
- RavMon.exe
- RavMonD.exe
- RavStore.exe
- RavStub.exe
- ravt08.exe
- RavTask.exe
- RegClean.exe
- RegEx.exe
- rfwcfg.exe
- RfwMain.exe
- rfwolusr.exe
- rfwProxy.exe
- rfwsrv.exe
- RsAgent.exe
- Rsaupd.exe
- RsMain.exe
- rsnetsvr.exe
- RSTray.exe
- runiep.exe
- safebank.exe
- safeboxTray.exe
- safelive.exe
- scan32.exe
- ScanFrm.exe
- shcfg32.exe
- smartassistant.exe
- SmartUp.exe
- SREng.exe
- SREngPS.exe
- symlcsvc.exe
- syscheck.exe
- Syscheck2.exe
- SysSafe.exe
- ToolsUp.exe
- TrojanDetector.exe
- Trojanwall.exe
- TrojDie.kxp
- UIHost.exe
- UmxAgent.exe
- UmxAttachment.exe
- UmxCfg.exe
- UmxFwHlp.exe
- UmxPol.exe
- UpLive.exe
- WoptiClean.exe
- zxsweep.exe
Note: This list is not exhuastive.
Modifies Hosts file
The malware modifies the Hosts file in an attempt to prevent the affected user from accessing certain antivirus websites.
The list of sites it blocks access to is carried by the malware, or obtained from a remote host, which is specified in the configuration data carried by the malware.
Below are some examples of the websites it attempts to block access to:
- 360.cn
- 360.qihoo.com
- 360safe.cn
- 360safe.com
- bbs.kafan.cn
- bbs.sucop.com
- chinakv.com
- cnnod32.cn
- dl.jiangmin.com
- dswlab.com
- duba.net
- eset.com.cn
- jiangmin.com
- kafan.cn
- kaspersky.com
- kaspersky.com.cn
- lanniao.org
- nod32.com
- nod32club.com
- rising.com.cn
- shadu.duba.net
- tool.ikaka.com
- union.kingsoft.com
- virscan.org
- virustotal.com
Modifies browser settings
Win32/Yeltminky can also modify the browser start page to point to a particular URL. The URL is provided in the configuration data carried by the malware.
Analysis by Ray Roberts
