Worm/Yaha.E - Worm

Siehe auch

Vollständig

Alias:	I-Worm.Lentin.f
Type:	Worm
Size:	29,839 bytes
Origin:	unknown
Date:	06-19-2002
Damage:
VDF Version:
Danger:	Medium
Distribution:	Medium

SymptomsTerminates running processes, like antivirus software and firewall applications.

DistributionIt sends itself by email, as executable .pif .bat .scr files.

Technical DetailsWorm/Yaha.E is a mass mailer, which sends itself by email to addresses collected from the local * .HT* files, Windows Address Book , MSN Messenger, ICQ and Yahoo Messenger. The attachment of the email has the extension .BAT, .PIF or .SCR.

The subject, body and attachment can have different appearance. The name of the attachment, for example, can be composed of the following parts:

First part:

* loveletter
* resume
* love
* weeklyreport
* goldfish
* report
* mountan
* biodata
* dailyreport
* lovegreetings
* shakingfriendship

then the first extension:

* .wav
* .doc
* .mp3
* .bmp
* .jpg
* .gif
* .txt
* .xls
* .htm
* .mpg
* .zip
* .dat

and the second extension:

* .pif
* .bat
* .scr

When the attachment is opened, W32/Yaha.E copies itself in the hidden C:\Recycled\ with a random name. Another copy, but of .TXT type, will be placed in Windows. It has the following lines:

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
iNDian sNakes pResents yAha.E

iNDian hACkers,Vxers c0me & w0Rk wITh uS & f*Ck tHE GFORCE-pAK shites

bY

sNAkeeYes,c0Bra
<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

W32/Yaha.E makes the following registry entry, to ensure that it will be activated by the next system start:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"c:\\recycled\\<RANDOM NAME>\" %1 %*"

With this entry, W32/Yaha.E is started whenever an .EXE file is opened. If one of the following applications is active, W32/Yaha.E will try to terminate it:

* SCAM32
* SIRC32
* WINK
* ZONEALARM
* AVP32
* LOCKDOWN2000
* AVP.EXE
* CFINET32
* CFINET
* ICMON
* SAFEWEB
* WEBSCANX
* ANTIVIR
* MCAFEE
* NORTON
* NVC95
* FP-WIN
* IOMON98
* PCCWIN98
* F-PROT95
* F-STOPW
* PVIEW95
* NAVWNT
* NAVRUNR
* NAVLU32
* NAVAPSVC
* NISUM
* SYMPROXYSVC
* RESCUE32
* NISSERV
* ATRACK
* IAMAPP
* LUCOMSERVER
* LUALL
* NMAIN
* NAVW32
* NAVAPW32
* VSSTAT
* VSHWIN32
* AVSYNMGR
* AVCONSOL
* WEBTRAP
* POP3TRAP
* PCCMAIN
* PCCIOMON

Kurzfassung hier.

Beschreibung erstellt von Crony Walker am Tue, 15 Jun 2004 14:00 (GMT+1)

» Über Malware
» Über Phishing
» In-the-Wild-Viren

« zurück