Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Yaha.j [McAfee], W32/Yaha-j [Sophos], I-Worm.Lentin.h, W32/Yaha, W32.Yaha.J@mm
Type:Worm 
Size:25,746 Bytes 
Origin: 
Date:00-00-0000 
Damage:Sent by email. 
VDF Version:6.23.00.00 
Danger:Low 
Distribution:Low 

DistributionThe worm collects email addresses from the following files:
Windows Address Book
MSN Messenger Contacts
Yahoo pager Contacts
ICQ Contacts
files with extension containing ht.

It uses its own SMTP engine to spread. The email contains:

Body:
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.

Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from www.truefriends.net to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

To remove yourself from this mailing list, point your browser to:
truefriends.net/remove

Enter your email address in the field provided and click "Unsubscribe".

Reply to this message with the word "REMOVE" in the subject line.

Attachment:
a random file name and a double extension, formed of:
.of
.pdf
.gif
.ppt
.jpg
.doc

followed by:
.scr

Technical DetailsThe worm displays a false message:
"Application innitilisation error".
It copies itself into the following hidden files:
C:\%SystemDIR%\Msnmsg32.exe
C:\%SystemDIR%\Nav32.exe
C:\%SystemDIR%\WinReg.exe
It eventually creates the following files into Windows installation directory:
Bestfriend.scr
MAtRiX.scr
EvilDaemon.scr
Love.scr
Escort.scr
NeverMind.scr
HotShot.scr
Honey.scr
ScreenSaver.scr
LoverScreenSaver.scr

It makes the autostart registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunwinReg C:\%SystemDIR%\winReg.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServiceswinReg C:\%SystemDIR%\winReg.exe

The registry entry is modified:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command C:\%SystemDIR%\nav32.exe"%1 %*
so that the worm is activated every time an .exe file is opened.

It tries to terminate all antivirus and firewall processes. If the name of an active process contains one of the following strings, the worm tries to terminate that process:
NORTON
NVC95
FP-WIN
IOMON98
PCCWIN98
F-PROT95
F-STOPW
PVIEW95
NAVWNT
NAVRUNR
NAVLU32
NAVAPSVC
NISUM
SYMPROXYSVC
RESCUE32
NISSERV
VSECOMR
VETTRAY
TDS2-NT
TDS2-98
SCAN32
PCFWALLICON
NSCHED32
IAMSERV.EXE
FRW.EXE
MCAFEE
ATRACK
IAMAPP
LUCOMSERVER
LUALL
NMAIN
NAVW32
NAVAPW32
VSSTAT
VSHWIN32
AVSYNMGR
AVCONSOL
WEBTRAP
POP3TRAP
PCCMAIN
PCCIOMON
ESAFE.EXE
AVPM.EXE
AVPCC.EXE
AMON.EXE
ALERTSVC
ZONEALARM
AVP32
LOCKDOWN2000
AVP.EXE
CFINET32
CFINET
ICMON
SAFEWEB
WEBSCANX
LOCKDOWNADVANCED
APACHE.EXE
ANTIVIR
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .