A computer that is infected by this worm shows the following symptoms.

• The operating system does not load. Instead, a single ASCII-based banner with a series of 24 "=" signs on a black background is shown on the computer screen.
• A mutex object called gh0stQQ:376111502 is created.
• For variant A:


• Presence of the comres.dll file in the %windir% folder


• Presence of the f[random-string]k.cmd file in the %windir%\system32 folder


• Presence of the HKLM\SYSTEM\CurrentControlSet\Services\F[random-string]K\Parameters registry key with the value ServiceDll with data \f[random-string]k.cmd.


• For variant B:


• Presence of the comres.dll file in the %programfiles%\Internet Explorer\ folder

The Backdoor.Yonsole worm spreads by bundling itself with different applications. It also disguises itself as a critical Microsoft® Windows® update. It has two variants: A and B, which have the same functionality but different file structure.

The Backdoor.Yonsole worm installs and registers a backdoor service on the host computer. It then connects to a remote host for receiving instructions on the tasks that it should perform on the compromised computer. This allows an attacker to execute commands on the computer from a remote server and initiate a Remote Desktop session. It also allows the attacker to modify the Master Boot Record (MBR) on the affected computer.

The variant A of the worm drops a DLL file named comres.dll in the %windir% folder. It also drops the f[random-string]k.cmd file, which is another instance of the worm in %windir%\system32. In addition, it injects itself in the svchost.exe file as a module and registers itself as a Windows service set, which starts every time the computer boots. This randomly named service is a backdoor component, which listens to the remote host on the port on 8000.For example, it adds the HKLM\SYSTEM\CurrentControlSet\Services\F00165500K\Parameters registry key with the value ServiceDll and data \f00165500k.cmd.

Similar to the variant A, the variant B of the worm drops a DLL file named comres.dll in %programfiles%\Internet Explorer\. It also attempts to hide itself from malware detectors and virus scanners by injecting itself in the memory space of the iexplore.exe file.

The worm creates a mutex object called gh0stQQ:376111502 to prevent itself from re-infecting an infected computer.

Backdoor.Yonsole can perform the following actions depending on the instructions issued by the attacker.

• It can overwrite the MBR with 512 bytes of code. This prevents the computer from booting. When the MBR is overwritten, the computer restarts and the operating system displays a series of 24 "=" signs and freezes.


• It can perform a series of registry tweaks to ensure that the backdoor is connected to the Windows Terminal Service running on port 61.


• It can download and execute a remotely-hosted file, whose link is provided by the attacker as a backdoor command.


• It automatically clears the Event Logs after it is installed to prevent the user from noticing the vast amount of logs that it has created.


• It collects detailed information about the infected computer, such as the number of processors installed or the amount of free space available on the hard-disk drive.


• It allows the remote attacker to shut down the computer after the MBR has been compromised. Even if the computer is restarted, it will not be able to boot up normally again.