W32/Yabe.BJ Trojan

 Virus Information - W32/Yabe.BJ Trojan:

W32/Yabe.BJ is a trojan. The trojan will infect Windows systems and spreads through email.

The trojan usually arrives as an attachment to a spammed email.

Upon execution, it copies of itself as IPTB.EXE in the Windows System folder.

It also copies a non-malicious file named ACGE.DAT in the Windows System\drivers folder, that contains the following URLs:

http://66.235.(Blocked).21/~academic/img/horr.php?new=1
http://66.235.(Blocked).21/~academic/img/horrk.dat
http://(Blocked)ja-rue.com/mypix/Picture0k.txt
http://(Blocked)sting-one-two.com/editor/editk.txt
http://(Blocked)ailandshrimp.com/robotss.txt
http://(Blocked)ailandwatch.info/ro0b.txt
http://www.(Blocked)exkabobhouse.com/images/ks.dat
http://www.(Blocked)ingblingventures.com/snake1/uploads/avatars/how0.txt
http://www.(Blocked)keting-know-how.com/bookreview/inc/tss0.txt
http://www.(Blocked)nindesigns.net/images/cars/t0.dat
http://(Blocked)mpletelyclassicalvinyl.com/images/Other/index.txt
http://(Blocked)oorsovertexas.com/images/index2.txt
http://(Blocked)aceinthedesert.org/images/photo_page/index2.txt
http://(Blocked)boss.com/images/dvd/index.txt
http://(Blocked)rthernsoulclub.com/Images/index.txt
http://(Blocked)arcleaningservice.com.au/images/index.txt
http://(Blocked)leaseforlife.com/images/index2.txt

The trojan modifies registry at the following location to load itself during each startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It accesses the abovementioned URLs, that contains a link to an encrypted site from which it downloads a malicious file.

As a result, the routines of the downloaded file may be exhibited on the affected machine.

This Trojan also uses the Adobe Acrobat Reader icon to trick users into thinking that it is a legitimate .PDF file. Once opened, it displays a fake error message. The said message may suggest that the .PDF file cannot be opened but, in truth, this trojan may already be executed and installed on the system.