Aliases: Generic8.OHR, Tool.Win32.YahooDump.a
Variants: W32/Pwstool.C, Trojan.PWSYahooDump.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 03 Oct 2007
Damage: Medium

Characteristics: The W32/Yahack.A program is a worm that propagates through mapped drives. The worm logs keystrokes, gathers information on your system, and steals yahoo messenger passwords. The systems affected by this worm are Windows 95, Windows 98, Windows XP, Windows Vista, Windows Me, Windows NT, Windows 2000 and Windows Server 2003.

More details about W32.Yahack.A

Once the worm executes to your system, it creates autorun.inf on the current folder of the user, UpDateWinc.exe on the system, LogBoy.log on the windows directory, a1.exe, pass1.txt, tem.exe, and temp1.bat on the system drive as well as NTDETECT.exe on the drive letter. The purpose for these file creations is for the worm to execute itself whenever the drive is accessed. After that process, it creates registry entry and records Yahoo! Messenger usernames and passwords, Mouse clicks, Keystrokes, and Title of active window on the compromised computer. After getting these information the worm e-mails the information to a remote attacker utilizing the SMTP server. The worm is likely to drop %SystemDrive%\a1.exe Trojan Horse as well.

Systems that are infected with the [email protected] software may run slower than usual and become unstable. This may be due to the activities of the remote user on the affected computer.