YADRIVE32.EXE is Worm Pushbot

July 19, 2012 by NightWatcher
Filed under: Worm 
: Solved!

Fix it immediately:

The file YADRIVE32.EXE is a computer worm.
The worm YADRIVE32.EXE is a self-replicating malicious program,
which uses a computer network to send copies of itself to other computers.
You must fix the YADRIVE32.EXE problem as soon as possible!
Delete the file YADRIVE32.EXE from all infected computers in your network.
Set up your network firewall against YADRIVE32.EXE intervention.

Malware Analysis of YADRIVE32.EXE
Full path on a computer: %WinDir%\yadrive32.exe

Detected by RegRun Warrior:

Item Name: Microsoft Driver Setup
Author: Unknown
Related File: %WinDir%\YADRIVE32.EXE
Type: Explorer Run

Item Name: Kyzqza
Author: Unknown
Related File: %APPDATA%\KYZQZA.SCR
Type: Registry Run

Item Name: yadrive32.exe
Author: Unknown
Related File: %WinDir%\YADRIVE32.EXE
Type: Detected using Heuristic Algorithm

Item Name: 1.tmp
Author: Unknown
Related File: %APPDATA%\1.TMP
Type: Detected using Heuristic Algorithm

Item Name: 2.exe
Author: Unknown
Related File: %APPDATA%\2.EXE
Type: Detected using Heuristic Algorithm

Item Name: 4.exe.gonewiththewings
Author: Unknown
Related File: %APPDATA%\4.EXE.GONEWITHTHEWINGS
Type: Detected using Heuristic Algorithm

Item Name: 6.exe.gonewiththewings
Author: Unknown
Related File: %APPDATA%\6.EXE.GONEWITHTHEWINGS
Type: Detected using Heuristic Algorithm

Item Name: Kyzqza.scr
Author: Unknown
Related File: %APPDATA%\KYZQZA.SCR
Type: Detected using Heuristic Algorithm

Item Name: nd.bin
Author: Unknown
Related File: %APPDATA%\ND.BIN
Type: Detected using Heuristic Algorithm

Removal Results: Success
Number of reboot: 1

YADRIVE32.EXE is known as:

Worm.Pushbot, BackDoor.Gurl

YADRIVE32.EXE hash:

  • MD5: a7ad94468d67d6ae3c82390379cb9452
The file tries to download information from some web sites.
How to quickly detect YADRIVE32.EXE presence?

Registry:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Microsoft Driver Setup: “%WinDir%\yadrive32.exe”
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup: “%WinDir%\yadrive32.exe”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kyzqza: “%AppData%\Kyzqza.scr”
Files:
  • %AppData%\1.tmp
  • %AppData%\2.exe
  • %AppData%\3.exe.gonewiththewings
  • %AppData%\4.exe.gonewiththewings
  • %AppData%\6.exe.gonewiththewings
  • %AppData%\Kyzqza.scr
  • %AppData%\nd.bin
  • %WinDir%\yadrive32.exe


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: Pushbot, Worm, YADRIVE32.EXE

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.