Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following files were analyzed:

21f45caf86b3fef0da76ebc889c56144616b79bd

To remove this infection,

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

You should be good to go.

• %WINDIR%\web\connection.dat

• %WINDIR%\SYSTEM32\logoneui.exe

This W32 YahLover worm is a low threat virus but never the less it will harm your PC. If infected, the virus will infect system files and directories.
Removing this virus should be pretty easy, simply run your PC’s virus scanner if you have one and that should clean it. If your anti virus app is out of date, make sure you update the definition file before you scan and clean.

System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following files were analyzed:

f7c55aabda688cf0cf8ee05ac81fd1a09e6729a0

To remove this Trojan, please follow directions below:

download Malwarebytes’ Anti-Malware from here  and  save it to your computer.

• Double click mbam-setup.exe and follow the directions to install.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes
  • Launch Malwarebytes
• then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes’ Anti-Malware

Other Common Detection Aliases

System Changes

Some path values have been replaced with environment variables as the exact location may vary with different configurations.
e.g.
%WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
%PROGRAMFILES% = \Program Files

The following registry elements have been changed:

• HKEY_CURRENT_USER\SOFTWARE\EXQONCZCTRUCEG\ID = 1.0

• HKEY_CURRENT_USER\SOFTWARE\EXQONCZCTRUCEG\KNKD = 1

• HKEY_CURRENT_USER\SOFTWARE\EXQONCZCTRUCEG\READY = 1

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\CHECKEXESIGNATURES = no

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\RUNINVALIDSIGNATURES = 1

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{92780B25-18CC-41C8-B9BE-3C9C571A8263} = 8193

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\NEXTID = 8194

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\ENABLED = 0

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\ENABLEDV8 = 0

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\ENABLEDV9 = 0

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\PROXYOVERRIDE

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\PROXYSERVER = http=127.0.0.1:47392

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS\LOWRISKFILETYPES = .exe

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ATTACHMENTS\SAVEZONEINFORMATION = 1

• HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\WDANDYYP = %TEMP%\fmljgiqxa\remoynoxsik.exe

Type

Logic error

Impact of exploitation

Information disclosure

User Interaction

user interaction is needed

Attack Vector

Information disclosure

Rating

Medium

CVE reference

CVE-2009-4073,

Vendor Status

Unacknowledged

Vulnerable systems

Internet Explorer  6 SP1 Windows 2000 SP4,

Internet Explorer  6 SP1,

Internet Explorer  6 Microsoft Windows Server 2003 SP1,

Internet Explorer  6 Windows Server 2003 SP1,

Internet Explorer  6 Windows Server 2003 SP1 Itanium,

Internet Explorer  6 Windows Server 2003 SP2,

Internet Explorer  6 Windows XP Professional X64 Edition SP2,

Internet Explorer  6 Windows XP SP2,

Internet Explorer  7,

Internet Explorer  7 Windows Server 2003 SP2 Itanium,

Internet Explorer  7 Windows 2000 SP4,

Internet Explorer  7 Windows Vista SP1,

Internet Explorer  7 Windows Vista X64 Edition SP1,

Internet Explorer  7 Windows Server 2008 X64 Edition,

Internet Explorer  7 Windows Server 2008 X32 Edition,

Internet Explorer  7 Windows Server 2008 Itanium Edition,

Internet Explorer  7 Windows XP SP2,

Internet Explorer  7 Windows XP Professional X64 Edition SP2,

Internet Explorer  8,

Summary

A vulnerability in Microsoft Internet Explorer may allow for the disclosure of sensitive information.

A remote code execution vulnerability exists in Microsoft Office Excel as a result of memory corruption when loading Excel records. The vulnerability could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. ? The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message. ? An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

McAfee Product Mitigation & Recommendations

Recommendations -

The vendor has released a patch to address this issue: http://www.microsoft.com/technet/security/bulletin/ms09-067.mspx

McAfee Product Mitigation

McAfee Foundstone

Signature:

(MS09-067) Excel Document Parsing Memory Corruption Vulnerability (972652)

Signature identifier:

7325

Release date:

11/10/2009

A remote code execution vulnerability exists in Microsoft Office Excel that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. ? The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message. ? An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

McAfee Product Mitigation & Recommendations

Recommendations -

Vendor has released patches to address this issue. http://www.microsoft.com/technet/security/bulletin/ms09-067.mspx

McAfee Product Mitigation

McAfee Foundstone

Signature:

(MS09-067) Excel Featheader Record Memory Corruption Vulnerability (972652)

Signature identifier:

7321

Release date:

11/10/2009

A vulnerability in Microsoft Active Template Library (ATL) ActiveX Controls may allow remote code execution. The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka “ATL COM Initialization Vulnerability.” An attacker could exploit this vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker exploiting this vulnerability could gain the same user rights as the logged on user.

McAfee Product Mitigation & Recommendations

Recommendations -

The vendor has released a patch to address this issue: http://www.microsoft.com/technet/security/bulletin/ms09-060.mspx

McAfee Product Mitigation

McAfee Foundstone

Signature:

(MS09-060) ATL COM Initialization Vulnerability (973965)

Signature identifier:

7206

Release date:

10/13/2009

McAfee Intrushield

Signature:

HTTP: Microsoft Visual Studio ATL Uninitialized Object Vulnerability

Signature identifier:

0×40264900

Release date:

7/6/2009

First released in:

UDS and 4.1.55.4, 5.1.25.4

McAfee Host IPS

Signature:

Generic Buffer Overflow Protection

Signature identifier:

428

Release date:

8/24/2000

First released in:

2.0

Signature:

(MS09-060) ATL COM Initialization Vulnerability (973965)

Signature identifier:

7206

Release date:

10/14/2009

McAfee VirusScan Enterprise 8.0i (VSE8.0i) / Managed Virus Scan (MVS) Buffer Overflow Protection

Signature:

Generic Buffer Overflow Protection

The V-Flash of October 14th will contain remedies for this issue.

Signature:

Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)

Signature identifier:

98961

Release date:

10/14/2009

Release date:

10/14/2009

Backdoor.Tidserv.I!inf is a detection for legitimate system driver files that have been modified by Backdoor.Tidserv to load other malicious components.

Protection

• Initial Rapid Release version December 3, 2009 revision 019
• Latest Rapid Release version December 3, 2009 revision 019
• Initial Daily Certified version December 3, 2009 revision 021
• Latest Daily Certified version December 3, 2009 revision 021
• Initial Weekly Certified release date December 9, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 – 49
• Number of Sites: 0 – 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Modifies Files: Modifies legitimate system files.

Distribution

• Distribution Level: Low

W32.SillyFDC.BBX is a worm that spreads by copying itself to removable and mapped drives. It also drops more malware, attempts to download files, lowers security settings, disables certain system software and alters certain system settings.

Protection

• Initial Rapid Release version December 2, 2009 revision 025
• Latest Rapid Release version December 2, 2009 revision 025
• Initial Daily Certified version December 2, 2009 revision 024
• Latest Daily Certified version December 2, 2009 revision 024
• Initial Weekly Certified release date December 2, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 – 49
• Number of Sites: 0 – 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Modifies Files: Modifies certain files, replacing them with a copy of other malware.
• Compromises Security Settings: Lowers security settings.

Distribution

• Distribution Level: Medium
• Target of Infection: Removable drives

Behavior

Adware.Zwunzi is an adware program that installs itself as a Browser Search Plugin for Internet Explorer and Mozilla Firefox.

Protection

• Initial Rapid Release version December 2, 2009 revision 039
• Latest Rapid Release version December 2, 2009 revision 039
• Initial Daily Certified version December 2, 2009 revision 050
• Latest Daily Certified version December 2, 2009 revision 050
• Initial Weekly Certified release date December 9, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

W32.Mabezat.B!dam is a detection for corrupted files that are infected with W32.Mabezat.B.

Protection

• Initial Rapid Release version December 2, 2009 revision 022
• Latest Rapid Release version December 2, 2009 revision 022
• Initial Daily Certified version December 2, 2009 revision 024
• Latest Daily Certified version December 2, 2009 revision 024
• Initial Weekly Certified release date December 9, 2009

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 – 49
• Number of Sites: 0 – 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Medium

Distribution

• Distribution Level: Low