Jan 04 2010

Yaludle

Category: Malware,Practical,Programs,TrojanParker @ 9:27 pm

Well another virus that’s on the radar, this time one carries an alias of Yaludle.
No real info re the installer, or exploit type but suffice to say this one is bad news and by replacing a number of key drivers within your registry, it ensures that it loads up every time your PC does.

As a very quick synopsis of the risks, this virus is capable of Man In The Browser / Man In The Middle attacks to take place, which will typically go after your banking credentials but as with many banking trojans, it is not against going after your other sensitive info with keylogging.

Anyway, to get rid of it, you need to do as follows;

  1. Close all instances of Internet Explorer.
  2. Open ProcessExplorer and Regedit.
  3. Get the DLL name from the registry key => HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 and write it somewhere. Should be in the format of 8 hex digits + 1.
  4. Use ProcessExplorer to search for that hex value. Locate and close all found handles that have that value (some may be mutex objects). In ProcessExplorer => View => Lower Pane View => Handles (or Ctrl+H) Find => Find Handle or DLL Search the first 4 digit of the file. You get a list of handles that relates to the malware. Close them with ProcessExplorer or handle.exe.

Delete these registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2
  • HKCU\Software\Macromedia\
  • HKCU\Software\AppDataLow\Software\Macromedia\
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WAB

Delete these files:

  • %Appdata%\ Macromedia \Common\
  • %Appdata%\Macromedia\Common\
  • (8-digit-hex).exe
  • %TMP%
  • (8-digit-hex).tmp

I also recommend clearing the Temp folders on that machine.

  • %Temp%
  • %Systemroot%\Temp

Having done all of that, a restart of the machine should load without any malicious Yaludle items present. For peace of mind, you can repeat step 4 of the above to ensure that no handles or other loaded objects still carry that hex value.

Leave a Reply