English
Deutsch
Français
Español
Italiano
Home
Virus Info
Worm/Yaha.E
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
TechBlog
Worm/Yaha.E - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Alias:
I-Worm.Lentin.f
Type:
Worm
Size:
29,839 bytes
Origin:
unknown
Date:
06-19-2002
Damage:
VDF Version:
Danger:
Medium
Distribution:
Medium
Symptoms
Terminates running processes, like antivirus software and firewall applications.
Distribution
It sends itself by email, as executable .pif .bat .scr files.
Technical Details
Worm/Yaha.E is a mass mailer, which sends itself by email to addresses collected from the local * .HT* files, Windows Address Book , MSN Messenger, ICQ and Yahoo Messenger. The attachment of the email has the extension .BAT, .PIF or .SCR.
The subject, body and attachment can have different appearance. The name of the attachment, for example, can be composed of the following parts:
First part:
* loveletter
* resume
* love
* weeklyreport
* goldfish
* report
* mountan
* biodata
* dailyreport
* lovegreetings
* shakingfriendship
then the first extension:
* .wav
* .doc
* .mp3
* .bmp
* .jpg
* .gif
* .txt
* .xls
* .htm
* .mpg
* .zip
* .dat
and the second extension:
* .pif
* .bat
* .scr
When the attachment is opened, W32/Yaha.E copies itself in the hidden C:\Recycled\ with a random name. Another copy, but of .TXT type, will be placed in Windows. It has the following lines:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
iNDian sNakes pResents yAha.E
iNDian hACkers,Vxers c0me & w0Rk wITh uS & f*Ck tHE GFORCE-pAK shites
bY
sNAkeeYes,c0Bra
<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
W32/Yaha.E makes the following registry entry, to ensure that it will be activated by the next system start:
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"c:\\recycled\\<RANDOM NAME>\" %1 %*"
With this entry, W32/Yaha.E is started whenever an .EXE file is opened. If one of the following applications is active, W32/Yaha.E will try to terminate it:
* SCAM32
* SIRC32
* WINK
* ZONEALARM
* AVP32
* LOCKDOWN2000
* AVP.EXE
* CFINET32
* CFINET
* ICMON
* SAFEWEB
* WEBSCANX
* ANTIVIR
* MCAFEE
* NORTON
* NVC95
* FP-WIN
* IOMON98
* PCCWIN98
* F-PROT95
* F-STOPW
* PVIEW95
* NAVWNT
* NAVRUNR
* NAVLU32
* NAVAPSVC
* NISUM
* SYMPROXYSVC
* RESCUE32
* NISSERV
* ATRACK
* IAMAPP
* LUCOMSERVER
* LUALL
* NMAIN
* NAVW32
* NAVAPW32
* VSSTAT
* VSHWIN32
* AVSYNMGR
* AVCONSOL
* WEBTRAP
* POP3TRAP
* PCCMAIN
* PCCIOMON
See a brief description
here
.
Description inserted by Crony Walker on Tue, 15 Jun 2004 14:00 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
TR/Crypt.XPACK.Gen
HEUR/HTML.Malware
HTML/Infected.WebPage.Gen
ADSPY/AdSpy.Gen
HTML/Crypted.Gen
W32/Induc.Gen
TR/ATRAPS.Gen2
TR/Click.Yabector.8857.2
TR/PSW.Magania.auv
TR/Dldr.Bredolab.AX
Get comfortable up to the minute info from Avira as
Detects and removes distinct malware and its variants.
Download here
Click
here
to get the panel...
© 2009 Avira GmbH
Copyright
|
Privacy
|
Sitemap
|
Feedback
|
Imprint
|
FAQ
|
Contact
Virus Info 
Print this page
.gif)
