Aliases: TR/Drop.Fkpws, Trojan.Dropper.Fkpws.A, Virus.Win32.VB.dk, W32/VBTroj.GAW
Variants: Worm.Win32.VB.hg, Worm/VB.AYC

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 16 Apr 2007
Damage: Low

Characteristics: The W32.Yadurna.A program is a worm that duplicates itself to the root directories of mapped drives. It may cause the compromised computer to be unstable. Systems affected by this worm are Windows 95, Windows 2000, Windows 98, Windows NT, Windows Me, Windows XP and Windows Server 2003.

More details about W32.Yadurna.A

W32.Yadurna.A impersonates as a Password recovery tool and can be downloaded onto the computer. The user of the compromised computer presented with a password recovery dialogue box once the malicious application is downloaded. This worm is dropped and run when the password recovery dialogue is closed. Once the worm is run, it duplicates itself to the Windows directory, lo5tword.exe, drive letter and user profile using either document.exe, Tugas.exe, w4y4n9.exe, HP Bunga Citra Lestari.exe, spoolsv.exe, svchost.exe, Hanuman.exe, services.exe, GatoTkaca.scr, w4y4n9.exe, smss.exe, csrss.exe, w32 Wayang.exe, lsass.exe, SMA Negeri 4.exe, daLang MistiQ.exe, Kota P4hlawan.exe, Windows [RANDOM NUMBER].exe and Majnun was H3re.exe.

The worm can create one or more folders and then it copies itself using one or more of file mentioned above into these folders. The worm then drops bitmap pictures and sets the desktop wallpaper image to one of the pictures dropped by W32.Yadurna.A. It then creates registry entries in order for the worm to run whenever windows start. The worm may as well modify the registry entries and reportedly infect files .html extensions found on your computer with the link to a copy of the threat. W32.Yadurna.A blocks access to many security related sites by adding text to hosts file. After all of these processes are completed, it can cause your compromised computer to become unstable.