This month’s MSRT families included Win32/Rorpian (an autorun worm that exploits a vulnerability in shortcut files), Win32/Nuqel (another autorun worm that spreads via network drives, removable drives, and instant messaging programs) and Win32/Yimfoca.
The last, Yimfoca, is a prevalent IM worm that uses common instant messaging applications and social networking websites to spread. It also affects security settings on the infected computer. Aside from stopping the Windows Update service and thus preventing critical updates from being installed, it also stops Microsoft Security Essentials and Forefront Endpoint Protection services. For this reason, it made the list of malware that was added to this month’s Malicious Software Removal Tool (MSRT).
Yimfoca, similar to Win32/Slenfbot (added to MSRT in September 2008), can spread via instant messaging programs. For example, the image below shows a screenshot of an MSN Messenger window containing one of the messages used by Win32/Yimfoca to spread.
If the user clicks on the link, he or she is led to a website containing a fake Facebook page. The page shows a “Photo has been moved.” message and instructs the user to click on the View Photo button to view the image. Once this button is clicked, a file download is initiated for an executable file masquerading as a photo, just like in the screenshot shown below.
In an attempt to further convince the user of its ruse, Win32/Yimfoca may also use an icon similar to that of an image file. If the unsuspecting user opens the downloaded file, Win32/Yimfoca will then proceed to install itself into the computer.
Just like most IM worms these days, Win32/Yimfoca also has backdoor functionality. It attempts to connect to a remote IRC server through a predefined port, join a channel and wait for commands. It could be a command to set Internet Explorer’s start page, spread via instant messaging and/or social networking sites, or download and execute arbitrary files, among other things.
You can read a more detailed description of Win32/Yimfoca in our encyclopedia.
The following table shows the current top threat families that have been cleaned from users’ computers with MSRT since its release last week. Win32/Yimfoca is #17, with 38,544 machines cleaned so far.
| Rank | Family | Machines Cleaned |
| 1 | Sality | 191,689 |
| 2 | Taterf | 158,468 |
| 3 | Rimecud | 110,550 |
| 4 | FakeRean | 94,272 |
| 5 | Vobfus | 86,709 |
| 6 | Alureon | 80,831 |
| 7 | Nuqel | 72,187 |
| … | ||
| 15 | Renocide | 43,993 |
| 16 | Ramnit | 41,202 |
| 17 | Yimfoca | 38,544 |
| … | ||
| 31 | FakeXPA | 13,383 |
| 32 | Winwebsec | 13,218 |
| 33 | Rorpian | 13,632 |
If you think you have been infected by this threat, or you notice that your Windows Update service is disabled, or your Microsoft Security Essentials or Forefront Endpoint Protection in not running, we recommend that you download and run the Malicious Software Removal Tool.
Stay safe, and don’t forget to regularly visit the Microsoft Malware Protection Center to get the latest updates about security and malware.
– Patrik Vicol and Gilou Tenebro
Leave a reply
