Yakoza 3.2

Yakoza 3.2
(Trojan-Spy.Win32.Yazoka.i)
(Trojan-Spy.Win32.Yazoka.e)

by Ali Moazemi

Released in October 2007

Made in Iran


Server
Dropped Files:
c:\WINDOWS\system32\svchot.exe     Size: 9,218 bytes 
c:\WINDOWS\system32\svshoct.exe    Size: 131,235 bytes 
c:\WINDOWS\system32\svshost.exe    Size: 131,235 bytes 

Added to Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"
Old data: Explorer.exe 
New data: explorer.exe svshost.exe 	

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{z6B2445-1963-9142-A0DB-DBDB9E15FB9z} "StubPath"
Data: svchot.exe AutoRun 


Tested on Windows XP
November 14, 2007

MegaSecurity