Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32/Lentin.M, W32/Yaha.P@mm
Type:Worm 
Size:45,568 bytes 
Origin:unknown 
Date:02-28-2003 
Damage:Sent by email, spread over local networks 
VDF Version:  
Danger:Low 
Distribution:Medium 

General DescriptionWorm/Yaha.P is a mass mailer, which gathers email addresses from Windows Address Book, from files with the extension *.HT* and from Yahoo-, MSN- and .NET- messenger folders. Then the worm is able to spread over local networks.

Symptoms- terminates running processes, like antivirus software and firewall applications.
- the files and registry entries mentioned below.

DistributionIt spreads itself over email and computer networks.

Technical DetailsThe new version of Worm/Yaha.P (45,568 bytes) is packed with UPX. When activated, the worm copies itself as MSTASK32.EXE in Windows system and makes the following two registry entries, in order to be run by the next system start:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"MicrosoftServiceManager" = "%WinSysDir%\mstask32.exe"

and

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices]
"MicrosoftServiceManager" = "%WinSysDir%\mstask32.exe"

A second file named EXELOADER.EXE is also copied in Windows system. The following registry will insure that Worm/Yaha.P will be activated whenever an .EXE file will be opened:

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@ = "%WinSysDir%\exeLoader.exe "%1"%*"

Worm/Yaha.P sends itself by mail using its own SMTP engine. This enables it to use the email addresses, without the need for email programs, as Outlook. The worm searches for addreses in Windows Address Book, in files of type *.HT* and in Yahoo, MSN, NET Messenger and ICQ folders.

The email sent by Worm/Yaha.P has certain characteristics, because the Sender's Name, Subject, Body and Attachment are composed out of a list of words and phrases.

The Sender's Name is one of the following words:
Love Inc., Jericho, Romantic Screensavers, Trend Micro, Norton Antivirus, McAfeeInc., Cupid, Jonathan, Susan, Noopman, The Rock, britneyspears.org,
zporNstarS, Lovers Screensavers, Valentine Screensavers, American Beauty, John Vandervochich, Ross Anderson, Jasmine Stevens, Ralph Jones, Clark Steel, Kyo Kusanagi, Iori Yagami, Terry Bogard, Omega Rugal, KOF Online, Cathy Kindergarten, Jaucques Antonio Barkinstein, Romeo & Juliet, Screensavers of Love, Raveena, Pusanova, Zdenka Podkapova, Jenna Jameson, Club Jenna, Veronica
Anderson, Benting, Paul Owen, admin@hackers.com, admin@viruswriters.com, admin@hackersclub.com, Nicolas Schwarzeneggar, Keanu Stevenson, Nomadic, Screensavers, XXX Screensavers, Hardcore Screensavers, Playboy Inc., Plus 2, Plus 6, Real Inc., Sexy Screensavers, Super Soccer, Rocking Stone, me2K, SQL Library, Codeproject or Klein Anderson

The worm uses one of the following return addresses:
loverscreensavers@love.com, caijob@online.sh.cn, romanticscreensavers@love.com, av_patch@trendmicro.com, av_patch@norton.com, av_patch@mcafee.com, cupid@freescreensavers.com, yjworks@online.sh.cn, samsun@online.sh.cn, ericpan@online.com.pk, therock@wwe.com, newsletters@britneyspears.org, admin@zpornstars.com, screensavers@lovers.com, valentinescreensavers@t2k.com, luoairong@21cn.com, hamada@seikosangyo.com, lubing@7135.com, zhouyuye@citiz.net, admin@kofonline2.com, cathy@21cn.com, super@21cn.com, DNA_seraph@163.com, love@lovescreensavers.com, ravs@go2pussy.com, zdenka@zpornstars.com, jenna@jennajameson.com, admin@clubjenna.com, services@tcsonline2.com, btq@2632.com, paul@kqscore2.com, admin@hackers2.com, admin@viruswriters.com, admin@hackersclub2.com, nics@noma.com, kkn@k2k.com, screensavers@nomadic.com, free@xxxscreensavers.com, free@hardcorescreensavers.com, sales@playboy.com, plus@real.com, plus@real.com, sales@real.com, free@sexyscreensavers.com, marketing@suppersoccer.com, stone@esterplaza.com, me@me2K.om, free@sql.library.com, admin@codeproject2.com or kl@aminoprojects.com

The Sender's name and address can be:
"Love Inc.<Loverscreensavers@love.com>"

The subject is one of the following:
Sample Screensavers, Project, Free Screensavers 4 U, Patch for Klez.H, Patch for Klez.H, Patch for Elkern.gen, Lovers Corner, Things to note, Wanna be friends ?, Freak Out, WWE Screensavers, Free Screensavers, Free XXX, Free Screenavers of Love, Who is your Valentine, Are you beautiful, Need money ??, Wanna be friends ??, Wanna be friends ??, Free Demo Game, Demo KOF 2002, Play KOF 2002 4 Free, Wanna Rumble ??, Wanna Brawl ??, The King of KOF, Sample KOF 2002, Wanna be friends ??, Wanna Hack ??, Feel the fragrance of Love, Free Screensavers, Free rAVs Screensavers, XXX Screensavers, Jenna 4 U, Screensavers from Club Jenna, Wanna be my sweetheart ??, Whats up, World Tour, One Hacker's Love, One Virus Writer's Story, Visit us, Wanna be a HE-MAN, We want peace, Free Screensavers 4 U, XXX Screensavers 4 U, Hardcore Screensavers 4 U, Sample Playboy, Check it out, Sexy Screensavers 4 U, Are you a Soccer Fan ?, Wanna be like a stone ?, I Love You.., Learn SQL 4 Free, Free Win32 API source or Are you the BEST

The attachment has one of these names:
Love.scr, Project.exe, Romantic.scr, FixKlez.com, FixKlez.com, FixElkern.com, Cupid.scr, Notes.exe, MyPic.scr, FreakOut.exe, THEROCK.scr, Britney_Sample.scr, zXXX_BROWSER.exe, Love.scr, Valentines_Day.scr, Beautifull.scr, Ways_To_Earn_Money.exe, MyProfile.scr, My_Sexy_Pic.scr, KOF.exe, King_of_Figthers.exe, KOF2002.exe, KOF_The_Game.exe, KOF_Demo.exe, KOF_Sample.exe, KOF_Fighting.exe, MyPic.scr, Hacker.scr, Romeo_Juliet.scr, Free_Love_Screensavers.scr, Ravs.scr, zDenka.scr, Jenna_Jemson.scr, Sexy_Jenna.scr Sweetheart.scr, up_life.scr, World_Tour.scr, Hacker_The_LoveStory.scr, VXer_The_LoveStory.scr, Services.scr, Body_Building.scr, Peace.scr, Screensavers.scr, xxx4Free.scr, Hardcore4Free.scr, Playboy.scr, Plus2.scr, Plus6.scr, Real.scr, Sex.scrSoccer.scr, Stone.scr, I_Love_You.scr, SQL_4_Free.scr, Codeproject.scr or The_Best.scr

The email body can be this:

Hello,
The attached product is send as a part of our official campaign for the popularity of our product.
You have been chosen to try a free fully functional sample of our product.If you are satified then you can send it to your friends. All you have to do is to install the software and register an account with us using the links provided in the software. Then send this software to your friends using your account ID and for each person who registers with us through your account, we will pay you $1.5.Once your account reaches the limit of $50, your payment will be send to your registration address by check or draft.

Please note that the registration process is completely free which means by participating in this program you will only gain without loosing anything.

Best Regards,
Admin

or

Hello,
Looking for some Hardcore mind boggling action ?
Install the attached browser software and browse
across millions of paid hardcore sex sites for free.
Using the software you can safely and easily browse
across most of the hardcore XXX paid sites across the
internet for free. Using it you can also clean all
traces of your web browsing from your computer.

Note:The attached browser software is made exclusivley
for demo only. You can use the software for a limited
time of 35 days after which you have to register it
at our official website for its furthur use.

Regards,
Admin.

or

Hello,
The attached product is send as a part of our official campaign for the popularity of our product.
You have been chosen to try a free fully functional sample of our product.If you are satified then you can send it to your friends. All you have to do is to install the software and register an account with us using the links provided in the software. Then send this software to your friends using your account ID and for each person who registers with us through your account, we will pay you $1.5.Once your account reaches the limit of $50, your payment will be send to your registration address by check or draft.

Please note that the registration process is completely free which means by participating in this program you will only gain without loosing anything.

Best Regards,
Admin


or

Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC.

or

Hello,
I just came across your email ID while searching in the Yahoo profiles. Actually I want a true friend 4 life with whom I can share my everything. So if you are interested in being my friend 4 life then mail me. If you wanna know about me, attached is my profile along with some of my pics. You can check and if you like it then do mail me. I will be waiting for your mail.

Best Wishes
Your Friend..

or

This E-Mail is never sent unsolicited. If you receive this E-Mail then it is because you have subscribed to the official newsletter at the KOF ONLINE website.

King Of Fighters is one of the greatest action game ever made. Now after the mind boggling sucess of KOF 2001 SNK proudly presents to you KOF 2002 with 4 new charecters.

Even though we need no publicity for our product but this time we have decided to give away a fully functional trial version of KOF 2002. So check out the attached trial version of KOF 2002 and register at our official website to get a free copy of KOF2002 original version

Best Regards,
Admin,KOF ONLINE..

Worm/Yaha.P is using the IFRAME Exploit Security hole. Thus, it can be activated in the preview of the attachment, and the user does not need to open it.

Worm/Yaha.P can also spread itself over networks, for example over mapped network drives. If it finds the following files on such a drive: WINDOWS, WIN98, WIN95, WINME, WINNT, WINXP or WIN, the worm copies itself as REG32.EXE and modifying the entry of Win.ini, the worm will be activated by the next system start.

If the worm can find the folder "Documents and settings\All users\Start menu\Programs\Autostart\" on a network drive, it copies itself as MSRegScanner.exe and it will be activated by the next system start. The worm can terminate, just like its predecessors or like Worm/Klez.E, a series of active antivirus or firewall processes. It will stop immediately those applications, which use the following window names:

* Windows Task Manager
* System Configuration Utility
* Registry Editor
* Process Viewer

Worm/Yaha.P makes the registry entry:

[HKLM\SOFTWARE\Microsoft\Snakes]
"Author" = "R0xx"
"Version" = "2"
"Web" = "http://www.indiansnakes.cjb.net"
"Comments" = "This system belongs to the great Indians..."

and changes the website start of Internet Explorer into:

'www.indiansnakes.cjb.net'

Worm/Yaha.P tries to delete the following files from the local hard disk:
* WinRpcsrv.exe
* WinGate.exe
* syshelp.exe
* tcpsvs32.exe
* nav32_loader.exe
* WinServices.exe
* winmgm32.exe

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following file:

* MSTASK32.EXE

Start "regedit" after that and edit the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"MicrosoftServiceManager" = "%WinSysDir%\mstask32.exe"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices]
"MicrosoftServiceManager" = "%WinSysDir%\mstask32.exe"

Restart your computer.

- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* MSTASK32.EXE

Start "regedit" after that and edit the following registry entries:

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run]
"MicrosoftServiceManager" = "%WinSysDir%\mstask32.exe"
* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices]
"MicrosoftServiceManager" = "%WinSysDir%\mstask32.exe"

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .