Aliases: Virus.Win32.Yourde, W32/Yourde, W32.Yourde, W32/Yourde-A
Variants: Win32/Yourde.A, TROJ_YOURDE.A, W32/Yourde.A, Trojan.Yourde.A, Win32/Yourde.A 

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 29 Apr 2003
Damage: Low

Characteristics: The W32/Yourde program exploits vulnerability in the parser of JavaScript, which is present in Adobe Acrobat v5.0.5. This vulnerability permits JavaScript code to put files in the Plug-ins folder. This virus affects windows operating system such as Windows 2000, Windows 98, Windows 95, Windows Me, Windows XP and Windows NT.

More details about W32.Yourde

If an infected PDF file is opened, the code of JavaScript in the file will execute and puts the file as Death.api on the Acrobat plug-ins folder and puts the file, Evil.fdf, on the root of drive C. The Death.api file has the code for virus replication and the Evil.fdf file has the code of JavaScript that launches the virus from the files that are infected. When Acrobat program is restarted, the plug-in folder will be loaded and the will then be activated. Once the virus is activated, it adds the Evil.fdf and Death.api files to any existing PDF file that is opened and then stored. The virus doesn’t affect the files that are not stored and doesn’t affect the newly created files. Moreover, if you edit an infected file, the virus will reinfect the file when the file is stored.

The W32.Yourde application creates an unsecure opening in the system. This is an idle system port that is opened. It is used to make an unmonitored connection to an IRC server. The specific server is included in its programming. The program joins an IRC channel as a logged-in user. It will receive commands from a remote user. This is often the person that wrote the program. Users report that the W32.Yourde program can be made to send information about the infected computer. This typically includes the IP address, computer name, operating system used and installed programs.