TrendMicro: PE_YAMI.A (Cavity Infector)

PE_YAMI.A is a destructive, file-infecting virus that is currently spreading in China. This virus only infects valid portable executable (PE) files, which are 32-bit Windows executable files. It validates the type of file by checking its PE header. It then uses a cavity type of infection, infecting the file by inserting chunks of its virus code into the host file. It is currently spreading in-the-wild, and infecting computers running Windows XP.

Upon execution, this virus searches for PE files to infect in a target system's current folder. It writes a total of 3,029 bytes to the host file. However, because this is a cavity type virus, the file size of the infected file does not increase after infection. After infecting the host file, it utilizes a table to store information about the inserted virus code, such as the size and the next offset of the inserted chunks of virus code.

Once the file has been infected, this virus avoids reinfecting it by using its infection marker, YM. Once it has completed all of its routines, it then passes control back to the host file.

This virus may overwrite the hard disk of infected systems and attempt to damage the infected system by corrupting data in the CMOS.

The following string is found in the virus code:
v1.1 YANGMIN

If you would like to scan your computer for PE_YAMI.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

PE_YAMI.A is detected and cleaned by Trend Micro pattern file #2.638.05 and above.