Alias:W32.Yaha.D@mm, I-Worm.Lentin.e [AVP], W32/Yaha.e@MM [McAfee], W32/Yaha-D [Sophos], WORM_YAHA.D [Trend], Win32.Yaha.D [CA]
Type:Worm 
Size:25,619 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:  
Danger:Medium 
Distribution:High 

DistributionThe worm sends itself to all email addresses it can find in:
-Windows Adressbuch
-MSN Messenger List
-Yahoo Pager List
-ICQ List
-files with extension containing 'ht'.

It uses its own SMTP engine.

URL:
screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullsh*tscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
f*cker

with the extensions .com .org .net

From: random name.

Subject: formed out of the following strings:


"Fw: "

" "

":-)"

"!"

"!!"

"to ur friends"

"to ur lovers"

"for you"

"to see"

"to check"

"to watch"

"to enjoy"

"to share"

"Screensaver"

"Friendship"

"Love"

"relations"

"stuff"

"Romantic"

"humour"

"New"

"Wonderfool"

"excite"

"Cool"

"charming"

"Idiot"

"Nice"

"Bullsh*t"

"One"

"Funny"

"Great"

"LoveGangs"

"Shaking"

"powful"

"Joke"

"Interesting"

"U realy Want this"

"searching for true Love"

"you care ur friend"

"Who is ur Best Friend "

"make ur friend happy"

"True Love"

"Dont wait for long time"

"Free Screen saver"

"Friendship Screen saver"

"Looking for Friendship"

"Need a friend?"

"Find a good friend"

"Best Friends"

"I am For u"

"Life for enjoyment"

"Nothink to worryy"

"Ur My Best Friend "

"Say 'I Like You' To ur friend"

"Easy Way to revel ur love"

"Wowwwwwwwwwww check it"

"Send This to everybody u like"

"Enjoy Romantic life"

"Let's Dance and forget pains"

"war Againest Loneliness"

"How sweet this Screen saver"

"Let's Laugh "

"One Way to Love"

"Learn How To Love"

"Are you looking for Love"

"love speaks from the heart"

"Enjoy friendship"

"Shake it baby"

"Shake ur friends"

"One Hackers Love"

"Origin of Friendship"

"The world of lovers"

"The world of Friendship"

"Check ur friends Circle"

"Friendship", "how are you"

"U r the person?"

"Hi"

"¯"

Body:

%HTML%%HEAD%%/HEAD%%BODY% followed by %iframe src=3Dcid:[SomeCID] height=3D0 width=3D0%%/iframe%

[nothing] followed by: %FONT%%/FONT% and by: [text that is gathered from .doc and .txt files on the infected computer.] Check the attachment too..

Hi Dear Check the Attachement .. See u %Infected Computer's Username% ----- Original Message ----- From: "Friendship" % friendshipscr@[URL constructed above]% To: % [Infected User's e-mail Address] % Sent: Friday, May 11, 2002 8:38 PM Subject: [Subject constructed above] followed by: This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. ********************************************************* Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from www.[URL constructed above] to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends. * To remove yourself from this mailing list, point your browser to: [URL constructed above]/remove?freescreensaver * Enter your email address ([infected user's e-mail address]) in the field provided and click "Unsubscribe".

* Reply to this message with the word "REMOVE" in the subject line. This message was sent to address [infected user's e-mail address] X-PMG-Recipient: [Infected Username]


The message ends with %/BODY%%/HTML% ab.

Attachment:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love

followed by: .doc .mp3 .xls .wav .txt .jpg .gif .dat .bmp .htm .mpg .mdb .zip

and one of the extensions: .pif .bat .scr

Technical DetailsThe email addresses collected by the worm are saved into \%Windows%\%variable%%variable%.dll, where the variable file name has 6 random numbers. For example, if the random number is 123456, the file name is \%Windows%\123456123456.dll.
The worm hides its activity, by pointing out some texts. It changes the Windows interface, making it look like a screen-saver, displaying the texts:
U r so cute today #!#!
True Love never ends
I like U very much!!!
U r My Best Friend

The worm tries to terminate antivirus and firewall processes. It counts the active processes, and if their name is in the following list, the worm will end them:
SCAM32 SIRC32 WINK ZONEALARM AVP32 LOCKDOWN2000 AVP.EXE CFINET32 CFINET ICMON SAFEWEB WEBSCANX ANTIVIR MCAFEE NORTON NVC95 FP-WIN IOMON98 PCCWIN98 F-PROT95 F-STOPW PVIEW95 NAVWNT NAVRUNR NAVLU32 NAVAPSVC NISUM SYMPROXYSVC RESCUE32 NISSERV ATRACK IAMAPP LUCOMSERVER LUALL NMAIN NAVW32 NAVAPW32 VSSTAT VSHWIN32 AVSYNMGR AVCONSOL WEBTRAP POP3TRAP PCCMAIN PCCIOMON

According to the used directory name, the worm copies itself in it or in \%Windows. The file name has 6 random numbers.
The worm changes the registry entry, to be reactivated every time an .exe file is opened:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command into:
[WormName]" %1 %*.

It also creates a text file, with a random name, in Windows directory, as for example %variable_filename%.txt. This file contains the following text:
w32.yAHa.D
aUThor :H^H,h2h@achayans.com
oRigIN :inDia,kERala(gODs oWn cOUntrY)
kANagaaa ,mANdi pEnnee nJan Ninne sNEhikkunnuu..
oRu sITe kITTiyirunnegggil.. hACk CHEyyyamayirunnuuu..
Die Beschreibung wurde erstellt von Crony Walker am Dienstag, 15. Juni 2004

zurück . . . .