Alias:W32/Yaha.K, I-Worm.Lentin.i
Type:Worm 
Size:34,304 bytes 
Origin:unknown 
Date:12-24-2002 
Damage:Sent by email, spread over local networks 
VDF Version:  
Danger:High 
Distribution:High 

General DescriptionWorm/Yaha.M is an Internet worm, which gathers email addresses from Windows Address Book, from files with the extension *.HT* and from Yahoo Pager, MSN- and
.NET-messenger folders. Then the worm sends itself by email, using its own SMTP engine.

SymptomsTerminates running processes, like antivirus software and Firewall applications.

DistributionIt sends itself by email, using its own SMTP engine, to the email addresses found on the infected computer.

Technical DetailsWorm/Yaha.M is an Internet worm, which sends itself by email, using its own SMTP engine. The email addresses are collected from the local .HTM and .HTML files, Windows Address Book and contacts lists of MSN Messenger, .NET Messenger and Yahoo Pager.

The worm copies itself in the Windows system as three files: WinServices.exe, Nav32_loader.exe and Tcpsvs32.exe. Then it makes the registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
WinServices.exe=C:\%WinDir%\%System%\WinServices.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
WinServices.exe=C:\%WinDir%\%System%\WinServices.exe

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\
open\command
@=C:\%WinDir%\%System%\WinServices.exe"%1 %*

When activated, Worm/Yaha.M tries to terminate the following antivirus and firewall processes:

* ANTIVIR
* _AVPM
* RESCUE32
* AVPM.EXE
* _AVPCC
* NISSERV
* AVPCC.EXE
* _AVP32
* VSECOMR
* AMON.EXE
* IOMON98
* IAMAPP
* ALERTSVC
* F-AGNT95
* NAVW32
* ACKWIN32
* FP-WIN
* NMAIN
* MCAFEE
* LOCKDOWNADVANCED
* FRW.EXE
* LUCOMSERVER
* PCCWIN98
* PVIEW95
* AVSYNMGR
* NVC95
* PCFWALLICON
* NAVAPW32
* NORTON
* VET95
* ATRACK
* N32SCANW
* NAVWNT
* IAMSERV.EXE
* NSPLUGIN
* NAVRUNR
* TDS2-NT
* NSCHEDNT
* NAVLU32
* TDS2-98
* NRESQ32
* NAVAPSVC
* NSCHED32
* NPSSVC
* NISUM
* F-PROT95
* NOD32
* SYMPROXYSVC
* F-STOPW
* REGEDIT
* SCAN32
* VETTRAY
* SWEEP95
* LUALL
* AVCONSOL
* VSSTAT
* PCCMAIN
* WEBTRAP
* VSHWIN32
* PCCIOMON
* POP3TRAP
* ESAFE.EXE
* ZONEALARM
* AVP32
* LOCKDOWN2000
* AVP.EXE
* CFINET32
* CFINET
* ICMON
* RMVTRJANSAFEWEB
* WEBSCANX
* PVIEW

The emails sent by Worm/Yaha.M can have different appearance, as for example:

Subject:
Patch for Klez.H

Body:
Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC

Attachment:
FixKlez.com

The emails can be composed out of the following:

Subject: Check it out, Free XXX, Wanna be friends ?, Patch for Elkern.gen, Patch for Klez.H, Are you in Love, How sweet this Screen saver, Lets Dance and forget pains, Sample Screensavers, I am in Love, I Love You, You are so sweet, The Hotmail Hack, U realy Want this, to ur lovers, to ur friends, Find a good friend, Learn How To Love, Are you looking for Love, Wowwwwwwwwwww check it, Check ur friends Circle, The world of Friendship, Shake it baby, Free Screensavers 4 U, war Againest Loneliness, Need a friend?, Say I Like You To ur friend, love speaks from the heart, Looking for Friendship, True Love, make ur friend happy, Who is ur Best Friend, hey check it yaar, Check this shit, Are you the BEST, Free Win32 API source, Learn SQL 4 Free, Project, I Love You.., Wanna be like a stone ?, Are you a Soccer Fan ?, Sexy Screensavers 4 U, Sample Playboy, Hardcore Screensavers 4 U, XXX Screensavers 4 U, We want peace, Wanna be a HE-MAN, Visit us, One Virus Writers Story, One Hackers Love, World Tour, Whats up, Wanna be my sweetheart ??, Screensavers from Club Jenna, Jenna 4 U, Free rAVs Screensavers, Feel the fragrance of Love, Wanna Hack ??, Sample KOF 2002, The King of KOF, Wanna Brawl ??, Wanna Rumble ??, Play KOF 2002 4 Free, Demo KOF 2002, Free Demo Game, Wanna be friends ??, Need money ??, Are you beautiful, Who is your Valentine, Free Screenavers of Love, Free Screensavers, WWE Screensavers, Freak Out, Things to note, Lovers Corner

Attachment: Britney_Sample.scr, Be_Happy.scr, Best_Friend.scr, Beautifull.scr, dance.scr, Friend_Finder.exe, Real.scr, zDenka.scr, Services.scr, World_of_friendship.scr, shake.scr, Sweet.scr, love.scr, GC_Messenger.exe, True_Love.scr, Love.scr, Friend_Happy.scr, FixElkern.com, FixKlez.com, life.scr,
colour_of_life.scr, friendship_funny.scr, funny.scr, Project.exe, The_Best.scr,
Codeproject.scr, Stone.scr, Sex.scrSoccer.scr, Plus6.scr, Plus2.scr, Playboy.scr, Hardcore4Free.scr, xxx4Free.scr, Screensavers.scr, Peace.scr, Romantic.scr, Body_Building.scr, VXer_The_LoveStory.scr, Hacker_The_LoveStory.scr, World_Tour.scr, hotmail_hack.exe, friendship.scr, up_life.scr, Sweetheart.scr, Sexy_Jenna.scr, Jenna_Jemson.scr, Ravs.scr, Free_Love_Screensavers.scr, Romeo_Juliet.scr, Hacker.scr, KOF_Fighting.exe, KOF_Sample.exe, KOF_Demo.exe, KOF_The_Game.exe, KOF2002.exe, King_of_Figthers.exe, KOF.exe, MyProfile.scr, Ways_To_Earn_Money.exe, Valentines_Day.scr, zXXX_BROWSER.exe, THEROCK.scr, FreakOut.exe, MyPic.scr, Notes.exe, Cupid.scr

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* WinServices.exe
* Nav32_loader.exe
* Tcpsvs32.exe

Start "regedit" after that and edit the following registry entries:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
WinServices.exe=C:\%WinDir%\%System%\WinServices.exe

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
WinServices.exe=C:\%WinDir%\%System%\WinServices.exe

* HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\
open\command
@=C:\%WinDir%\%System%\WinServices.exe"%1 %*

Restart your computer.

- for Windows 9x/ME:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* WinServices.exe
* Nav32_loader.exe
* Tcpsvs32.exe

Start "regedit" after that and edit the following registry entries:

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
WinServices.exe=C:\%WinDir%\%System%\WinServices.exe

* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
WinServices.exe=C:\%WinDir%\%System%\WinServices.exe

* HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\
open\command
@=C:\%WinDir%\%System%\WinServices.exe"%1 %*

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .