IM worm, rvhost.exe, W32.Yautoit.N

W32.Yautoit.N is a worm that spreads through Yahoo! Instant Messenger.
Discovered on 12 December 2006 and affected Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP.

Symtom
The worm sends the following messages through Yahoo! Instant Messenger:

"E may, vao day coi co con nho nay ngon lam http://nhattruongquang.0catch.com

"Vao day nghe bai nay di ban http://nhattruongquang.0catch.com"

"Vao day nghe bai nay di ban http://nhattruongquang.0catch.com"

"Biet tin gi chua, vao day coi di http://nhattruongquang.0catch.com"

"Trang Web nay coi cung hay, vao coi thu di http://nhattruongquang.0catch.com"

"Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? http://nhattruongquang.0catch.com"

"Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... http://nhattruongquang.0catch.com"

"Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... http://nhattruongquang.0catch.com"

"Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... http://nhattruongquang.0catch.com"

"Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon...http://nhattruongquang.0catch.com"

The worm ends the following processes and closes applications if they are running:
Registry Editor
Task Manager
Bkav2006
game_y.exe
"System Configuration"
HOW TO REMOVE

1. Temporarily Disable System Restore (Windows Me/XP).
2. Update your virus definitions.
3. Reboot your computer in SafeMode
4. Run a full system scan and clean/delete all infected files
5. Run registry editor (regedit) and delete any values added to the registry.

Delete the value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: "Shell" = "Explorer.exe " RVHOST.exe"

Delete the value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Value: "Yahoo Messengger" = "%System%\RVHOST.exe"

Delete the value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Value: "shared" = "[SHARED DRIVE]\New Folder.exe"

Reset the values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Values:
"DisableTaskMgr" = "1"
"DisableRegistryTools" = "1"

Reset the value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Value: "NofolderOptions" = "1"

Reset the value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
Value: "AtTaskMaxHours" = "0"

Delete the value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Value: "Run" = "BkavFw"

Delete the value:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Value: "Run" = "IEProtection"

6. Exit registry editor and restart the computer.

7. In order to make sure that W32.Yautoit.N is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.