Win32/Yektel [Threat Name] go to Threat

Win32/Yektel.A [Threat Variant Name]

Category trojan
Size 634368 B
Detection created Jul 10, 2009
Signature database version 4232
Aliases Rogue:Win32/FakeXPA (Microsoft)
  FakeAlert-EQ.b.trojan (McAfee)
Short description

Win32/Yektel.A is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses. The trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.


The following Registry entries are created:

  • [HKEY_CLASSES_ROOT\­CLSID\­{04DFB628-514B-4E68-9076-DC1024F58A96}]
    • "(Default)" = "&Security Update"
  • [HKEY_CLASSES_ROOT\­CLSID\­{04DFB628-514B-4E68-9076-DC1024F58A96}\­InProcServer32]
    • "(Default)" = %malwaredllpath%
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects]
    • "{04DFB628-514B-4E68-9076-DC1024F58A96}"

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Ext\­Settings]
    • "{04DFB628-514B-4E68-9076-DC1024F58A96}"
Other information

Win32/Yektel.A is a trojan that prevents access to certain web sites and reroutes traffic to certain IP addresses.


It avoids those with any of the following strings in their names:

  • mail
  • secure
  • payment
  • google
  • msn
  • live
  • yahoo
  • protected
  • malicious-sites.com
  • securityutilitybuy.com
  • allspanishwar.com
  • maliciouscodeblock.com
  • forbes-2009.com
  • safewebnetwork.com
  • angle-meter.com
  • security-estore.com
  • austin2reed.com
  • black-list-websites.com
  • browsersecessentials.com
  • windowssp3download.com
  • ardeana-couture.com
  • pc-security-store.com
  • blockadvisornetwork.com
  • rescuesysupdate.com
  • pcsecurity-soft.com
  • iesecurityblock.com
  • winxp7server.com
  • wintimeserver.com
  • firmwaredownloadserver.com
  • internetbanlist.com
  • unsecured-domains.com
  • checklatestversion.com
  • totalblocklist.com
  • shifustserver.com
  • version-upgrade.com
  • antispywarelist.com
  • projectwupdates.com
  • cariport.com

The user may be redirected to one of the following Internet web sites:

  • http://www.antispywarelist.com/

Please enable Javascript to ensure correct displaying of this content and refresh this page.