McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Lentin.n (AVP)

• W32.Yaha.P@mm (NAV)

• W32/Lentin.N (Panda)

• W32/Yaha-Q (Sophos)

• WORM_YAHA.P (Trend)

• Yaha.Q@mm (Norman)

Characteristics

--- Update 12 March ---
This threat has been updated to a Low-Profiled risk as it has had some media attention.

--- Update 08 March ---
A new strain was discovered which is the same worm as W32/Yaha.p but packaged using UPX and subsequently modified. It is included in 4252 DAT update.

---

This worm propagates via email and over network shares. It uses its own built-in SMTP engine for constructing messages. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against remote machines (various targets are hard-coded within the worm).

Network Propagation

The worm looks for a WIN.INI file in specific folders (hardcoded within worm) on remote shares (only on mapped network drives in testing). If found, it copies itself to that folder as REG32.EXE, and adds a hook into the WIN.INI file:

A list of searched locations is shown below:

• \WINDOWS\WIN.INI
• \WIN98\WIN.INI
• \WIN95\WIN.INI
• \WINNT\WIN.INI
• \WIN\WIN.INI
• \WINME\WIN.INI
• \WINXP\WIN.INI

Additionally, the worm will look for the following folder on remote network drives (again only mapped drives in testing):

• \DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP

If found, it will copy itself there as: MSREGSCANNER.EXE.

Mass-Mailing

The worm may arrive in a message formatted with varying subject line, attachment filename and message body. Many variations of each are carried within the body of the worm. In common with previous W32/Yaha variants, strings within the worm suggest the from address may be spoofed. The following list of email addresses is carried in the worm:

• admin@clubjenna.com
• admin@codeproject2.com
• admin@hackers2.com
• admin@hackersclub2.com
• admin@kofonline2.com
• admin@zpornstars.com
• av_patch@mcafee.com
• av_patch@norton.com
• av_patch@trendmicro.com
• btq@2632.com
• caijob@online.sh.cn
• cathy@21cn.com
• cupid@freescreensavers.com
• DNA_seraph@163.com
• ericpan@online.com.pk
• free@hardcorescreensavers.com
• free@sexyscreensavers.com
• free@sql.library.com
• free@xxxscreensavers.com
• hamada@seikosangyo.com
• info@infotech.com
• jenna@jennajameson.com
• kkn@k2k.comscreensavers@nomadic.com
• kl@aminoprojects.com
• love@lovescreensavers.com
• loverscr@lovers.com
• loverscreensavers@love.com
• lubing@7135.com
• luoairong@21cn.com
• marketing@playstation.com
• marketing@suppersoccer.com
• me@me2K.com
• newsletters@britneyspears.org
• nics@noma.com
• paul@kqscore2.com
• plus@real.com
• ravs@go2pussy.com
• romanticscreensavers@love.com
• sales@gcnetwork.com
• sales@playboy.com
• sales@real.com
• sales@susoft.net
• samsun@online.sh.cn
• screensavers@lovers.com
• services@tcsonline2.com
• stone@esterplaza.com
• super@21cn.com
• therock@wwe.com
• valentinescreensavers@t2k.com
• valscr@freescreensavers.com
• yjworks@online.sh.cn
• zdenka@zpornstars.com
• zhouyuye@citiz.net

Possible subject lines, attachment names and message bodies are detailed below:

Subject Lines:

• Are you a Soccer Fan ?
• Are you beautiful
• Are you in Love
• Are you looking for Love
• Are you the BEST
• Check it out
• Check this shit
• Check ur friends Circle
• Demo KOF 2002
• Feel the fragrance of Love
• Find a good friend
• Freak Out
• Free Demo Game
• Free Screenavers of Love
• Free Screensavers 4 U
• Free Screensavers
• Free Win32 API source
• Free XXX
• Free rAVs Screensavers
• Hardcore Screensavers 4 U
• Hip Shake it baby
• Hip
• How sweet this Screen saver
• I Love You..
• I Love You
• I am in Love
• Jenna 4 U
• Learn How To Love
• Learn SQL 4 Free
• Let's Dance and forget pains
• Looking for Friends
• Lovers Corner
• Need a friend?
• Need money ??
• One Hacker's Love
• One Virus Writer's Story
• Patch for Elkern.gen
• Patch for Klez.H
• Play KOF 2002 4 Free
• Project Sample Screensavers
• Sample KOF 2002
• Sample Playboy
• Say 'I Like You' To ur friend
• Screensavers from Club Jenna
• Sexy Screensavers 4 U
• The Hotmail Hack
• The King of KOF Wanna Brawl ??
• The world of Friends
• Things to note
• True Love
• U realy Want this
• Visit us
• WWE Screensavers
• Wanna Hack ??
• Wanna Rumble ??
• Wanna be a HE-MAN
• Wanna be friends ?
• Wanna be friends ??
• Wanna be like a stone ?
• Wanna be my sweetheart ??
• We want peace
• Who is ur Best Friend
• Who is your Valentine
• World Tour Whats up
• Wowwwwwwwwwww check it
• XXX Screensavers 4 U
• You are so sweet
• hey check it yaar
• love speaks from the heart
• make ur friend happy
• to ur friends
• to ur lovers
• war Againest Loneliness

Attachment Filenames:

• Beautifull.scr
• Body_Building.scr
• Britney_Sample.scr
• Codeproject.scr
• Cupid.scr
• FixElkern.com
• FixKlez.com
• FreakOut.exe
• Free_Love_Screensavers.scr
• Hacker.scr
• Hacker_The_LoveStory.scr
• Hardcore4Free.scr
• I_Love_You.scr
• Jenna_Jemson.scr
• KOF.exe
• KOF2002.exe
• KOF_Demo.exe
• KOF_Fighting.exe
• KOF_Sample.exe
• KOF_The_Game.exe
• King_of_Figthers.exe
• Love.scr
• MyPic.scr
• MyProfile.scr
• My_Sexy_Pic.scr
• Notes.exe
• Peace.scr
• Playboy.scr
• Plus2.scr
• Plus6.scr
• Project.exe
• Ravs.scr
• Real.scr
• Romantic.scr
• Romeo_Juliet.scr
• SQL_4_Free.scr
• Screensavers.scr
• Services.scr
• Sex.scr
• Sexy_Jenna.scr
• Soccer.scr
• Stone.scr
• Sweetheart.scr
• THEROCK.scr
• The_Best.scr
• VXer_The_LoveStory.scr
• Valentines_Day.scr
• Ways_To_Earn_Money.exe
• World_Tour.scr
• up_life.scr
• xxx4Free.scr
• zDenka.scr
• zXXX_BROWSER.exe

Message bodies:

Strings within the worm suggest outgoing messages are intended to contain two Internet Explorer vulnerabilities (IFRAME and incorrect MIME header) in order to run itself when the recipient previews the email (on unpatched systems). See Microsoft Security Bulletin (MS01-020) for more information and a patch concerning these exploits.

Symptoms

The worm copies itself into the Windows System folder as:

• EXELOADER.EXE
• MSTASK32.EXE

Additionally, a zipped copy of the worm is dropped as:

• TASKMGR32.DLL (45,802 bytes)

NB: this file is a ZIP archive, not a DLL as its name suggests

Two Registry keys are added to hook system startup - for example:

The following key is modified to hook the execution of EXE files:

which is changed from:

to:

All of the above Registry modifications are cleaned with the recommended engine/DAT combination.

The following Registry keys are also added by the worm:

These keys will be removed for those customers using the 4240 engine and the indicated DATs.

In common with previous W32/Yaha variants, this worm is intended to deliver a denial of service payload against specific remote servers - the list of which is contained within the worm:

• kse.com.pk
• comsats.com
• pcb.gov.pk
• paki.com
• pakistan.gov.pk

Upon infecting a machine, one of the servers in this list is chosen to be targeted in this payload. The name of the chosen one is stored in the Registry - for example:

This key will be removed for those customers using the 4240 engine and the indicated DATs.

The following process are terminated if running on the victim machine:

• _AVP32
• _AVPCC
• _AVPM
• ACKWIN32
• ALERTSVC
• AMON.EXE
• ANTI-TROJAN
• ANTIVIR
• APVXDWIN
• ATRACK
• AUTODOWN
• AVCONSOL
• AVGCTRL
• AVKSERV
• AVNT
• AVP.EXE
• AVP32
• AVPCC.EXE
• AVPM.EXE
• AVSCHED32
• AVSYNMGR
• AVWUPD32
• BLACKD
• BLACKICE
• CFIADMIN
• CFIAUDIT
• CFINET
• CFINET32
• CLEANER
• ECENGINE
• ESAFE.EXE
• ESPWATCH
• F-AGNT95
• F-PROT95
• F-STOPW
• FINDVIRU
• FP-WIN
• FRW.EXE
• IAMAPP
• IAMSERV.EXE
• IBMASN
• IBMAVSP
• ICMON
• IOMON98
• LOCKDOWN2000
• LOCKDOWNADVANCED
• LUALL
• LUCOMSERVER
• MCAFEE
• MOOLIVE
• MPFTRAY
• MSNMSG32REGEDIT
• N32SCANW
• NAV
• NAV32_LOADER
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVNT
• NAVRUNR
• NAVW32
• NAVWNT
• NISSERV
• NISUM
• NMAIN
• NOD32
• NORTON
• NPSSVC
• NRESQ32
• NSCHED32
• NSCHEDNT
• NSPLUGIN
• NUPGRADE
• NVC95
• PADMIN
• PAVSCHED
• PCCIOMON
• PCCMAIN
• PCCWIN98
• PCFWALLICON
• PERSFW
• POP3TRAP
• PVIEW
• PVIEW95
• RAV7
• REGEDIT
• RESCUE32
• RMVTRJANSAFEWEB
• SCAM32
• SCAN32
• SIRC32
• SMC
• SPHINX
• SWEEP95
• SYMPROXYSVC
• SYSHELP.EXE
• TBSCAN
• TCPSVS32
• TDS2-
• TDS2-98
• TDS2-NT
• VET95
• VETTRAY
• VSECOMR
• VSHWIN32
• VSSTAT
• WEBSCANX
• WEBTRAP
• WFINDV32
• WINGATE.EXE
• WINK
• WINMGM32.EXE
• WINSERVICES
• ZONEALARM

A list of filenames identical to that in previous W32/Yaha variants is carried within the worm. Unlikely previously however, in testing the worm did not copy itself to the victim machine with any of these filenames (9x and NT/2000).

• Be_Happy.scr
• Best_Friend.scr
• Friend_Finder.exe
• Friend_Happy.scr
• GC_Messenger.exe
• I_Like_You.scr
• Sweet.scr
• True_Love.scr
• colour_of_life.scr
• dance.scr
• friendship.scr
• friendship_funny.scr
• funny.scr
• hotmail_hack.exe
• life.scr
• love.scr
• shake.scr
• world_of_friendship.scr

Method of Infection

The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).

It copies itself over network shares.

• Windows Address Book
• MSN Messenger
• .NET Messenger
• Yahoo Pager
• Files matching *.HT*

The 'From' address may vary, as noted above.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Lentin.n (AVP)

• W32.Yaha.P@mm (NAV)

• W32/Lentin.N (Panda)

• W32/Yaha-Q (Sophos)

• WORM_YAHA.P (Trend)

• Yaha.Q@mm (Norman)

Characteristics

Characteristics -

--- Update 12 March ---
This threat has been updated to a Low-Profiled risk as it has had some media attention.

--- Update 08 March ---
A new strain was discovered which is the same worm as W32/Yaha.p but packaged using UPX and subsequently modified. It is included in 4252 DAT update.

---

This worm propagates via email and over network shares. It uses its own built-in SMTP engine for constructing messages. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against remote machines (various targets are hard-coded within the worm).

Network Propagation

The worm looks for a WIN.INI file in specific folders (hardcoded within worm) on remote shares (only on mapped network drives in testing). If found, it copies itself to that folder as REG32.EXE, and adds a hook into the WIN.INI file:

A list of searched locations is shown below:

• \WINDOWS\WIN.INI
• \WIN98\WIN.INI
• \WIN95\WIN.INI
• \WINNT\WIN.INI
• \WIN\WIN.INI
• \WINME\WIN.INI
• \WINXP\WIN.INI

Additionally, the worm will look for the following folder on remote network drives (again only mapped drives in testing):

• \DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP

If found, it will copy itself there as: MSREGSCANNER.EXE.

Mass-Mailing

The worm may arrive in a message formatted with varying subject line, attachment filename and message body. Many variations of each are carried within the body of the worm. In common with previous W32/Yaha variants, strings within the worm suggest the from address may be spoofed. The following list of email addresses is carried in the worm:

• admin@clubjenna.com
• admin@codeproject2.com
• admin@hackers2.com
• admin@hackersclub2.com
• admin@kofonline2.com
• admin@zpornstars.com
• av_patch@mcafee.com
• av_patch@norton.com
• av_patch@trendmicro.com
• btq@2632.com
• caijob@online.sh.cn
• cathy@21cn.com
• cupid@freescreensavers.com
• DNA_seraph@163.com
• ericpan@online.com.pk
• free@hardcorescreensavers.com
• free@sexyscreensavers.com
• free@sql.library.com
• free@xxxscreensavers.com
• hamada@seikosangyo.com
• info@infotech.com
• jenna@jennajameson.com
• kkn@k2k.comscreensavers@nomadic.com
• kl@aminoprojects.com
• love@lovescreensavers.com
• loverscr@lovers.com
• loverscreensavers@love.com
• lubing@7135.com
• luoairong@21cn.com
• marketing@playstation.com
• marketing@suppersoccer.com
• me@me2K.com
• newsletters@britneyspears.org
• nics@noma.com
• paul@kqscore2.com
• plus@real.com
• ravs@go2pussy.com
• romanticscreensavers@love.com
• sales@gcnetwork.com
• sales@playboy.com
• sales@real.com
• sales@susoft.net
• samsun@online.sh.cn
• screensavers@lovers.com
• services@tcsonline2.com
• stone@esterplaza.com
• super@21cn.com
• therock@wwe.com
• valentinescreensavers@t2k.com
• valscr@freescreensavers.com
• yjworks@online.sh.cn
• zdenka@zpornstars.com
• zhouyuye@citiz.net

Possible subject lines, attachment names and message bodies are detailed below:

Subject Lines:

• Are you a Soccer Fan ?
• Are you beautiful
• Are you in Love
• Are you looking for Love
• Are you the BEST
• Check it out
• Check this shit
• Check ur friends Circle
• Demo KOF 2002
• Feel the fragrance of Love
• Find a good friend
• Freak Out
• Free Demo Game
• Free Screenavers of Love
• Free Screensavers 4 U
• Free Screensavers
• Free Win32 API source
• Free XXX
• Free rAVs Screensavers
• Hardcore Screensavers 4 U
• Hip Shake it baby
• Hip
• How sweet this Screen saver
• I Love You..
• I Love You
• I am in Love
• Jenna 4 U
• Learn How To Love
• Learn SQL 4 Free
• Let's Dance and forget pains
• Looking for Friends
• Lovers Corner
• Need a friend?
• Need money ??
• One Hacker's Love
• One Virus Writer's Story
• Patch for Elkern.gen
• Patch for Klez.H
• Play KOF 2002 4 Free
• Project Sample Screensavers
• Sample KOF 2002
• Sample Playboy
• Say 'I Like You' To ur friend
• Screensavers from Club Jenna
• Sexy Screensavers 4 U
• The Hotmail Hack
• The King of KOF Wanna Brawl ??
• The world of Friends
• Things to note
• True Love
• U realy Want this
• Visit us
• WWE Screensavers
• Wanna Hack ??
• Wanna Rumble ??
• Wanna be a HE-MAN
• Wanna be friends ?
• Wanna be friends ??
• Wanna be like a stone ?
• Wanna be my sweetheart ??
• We want peace
• Who is ur Best Friend
• Who is your Valentine
• World Tour Whats up
• Wowwwwwwwwwww check it
• XXX Screensavers 4 U
• You are so sweet
• hey check it yaar
• love speaks from the heart
• make ur friend happy
• to ur friends
• to ur lovers
• war Againest Loneliness

Attachment Filenames:

• Beautifull.scr
• Body_Building.scr
• Britney_Sample.scr
• Codeproject.scr
• Cupid.scr
• FixElkern.com
• FixKlez.com
• FreakOut.exe
• Free_Love_Screensavers.scr
• Hacker.scr
• Hacker_The_LoveStory.scr
• Hardcore4Free.scr
• I_Love_You.scr
• Jenna_Jemson.scr
• KOF.exe
• KOF2002.exe
• KOF_Demo.exe
• KOF_Fighting.exe
• KOF_Sample.exe
• KOF_The_Game.exe
• King_of_Figthers.exe
• Love.scr
• MyPic.scr
• MyProfile.scr
• My_Sexy_Pic.scr
• Notes.exe
• Peace.scr
• Playboy.scr
• Plus2.scr
• Plus6.scr
• Project.exe
• Ravs.scr
• Real.scr
• Romantic.scr
• Romeo_Juliet.scr
• SQL_4_Free.scr
• Screensavers.scr
• Services.scr
• Sex.scr
• Sexy_Jenna.scr
• Soccer.scr
• Stone.scr
• Sweetheart.scr
• THEROCK.scr
• The_Best.scr
• VXer_The_LoveStory.scr
• Valentines_Day.scr
• Ways_To_Earn_Money.exe
• World_Tour.scr
• up_life.scr
• xxx4Free.scr
• zDenka.scr
• zXXX_BROWSER.exe

Message bodies:

Strings within the worm suggest outgoing messages are intended to contain two Internet Explorer vulnerabilities (IFRAME and incorrect MIME header) in order to run itself when the recipient previews the email (on unpatched systems). See Microsoft Security Bulletin (MS01-020) for more information and a patch concerning these exploits.

Symptoms

Symptoms -

The worm copies itself into the Windows System folder as:

• EXELOADER.EXE
• MSTASK32.EXE

Additionally, a zipped copy of the worm is dropped as:

• TASKMGR32.DLL (45,802 bytes)

NB: this file is a ZIP archive, not a DLL as its name suggests

Two Registry keys are added to hook system startup - for example:

The following key is modified to hook the execution of EXE files:

which is changed from:

to:

All of the above Registry modifications are cleaned with the recommended engine/DAT combination.

The following Registry keys are also added by the worm:

These keys will be removed for those customers using the 4240 engine and the indicated DATs.

In common with previous W32/Yaha variants, this worm is intended to deliver a denial of service payload against specific remote servers - the list of which is contained within the worm:

• kse.com.pk
• comsats.com
• pcb.gov.pk
• paki.com
• pakistan.gov.pk

Upon infecting a machine, one of the servers in this list is chosen to be targeted in this payload. The name of the chosen one is stored in the Registry - for example:

This key will be removed for those customers using the 4240 engine and the indicated DATs.

The following process are terminated if running on the victim machine:

• _AVP32
• _AVPCC
• _AVPM
• ACKWIN32
• ALERTSVC
• AMON.EXE
• ANTI-TROJAN
• ANTIVIR
• APVXDWIN
• ATRACK
• AUTODOWN
• AVCONSOL
• AVGCTRL
• AVKSERV
• AVNT
• AVP.EXE
• AVP32
• AVPCC.EXE
• AVPM.EXE
• AVSCHED32
• AVSYNMGR
• AVWUPD32
• BLACKD
• BLACKICE
• CFIADMIN
• CFIAUDIT
• CFINET
• CFINET32
• CLEANER
• ECENGINE
• ESAFE.EXE
• ESPWATCH
• F-AGNT95
• F-PROT95
• F-STOPW
• FINDVIRU
• FP-WIN
• FRW.EXE
• IAMAPP
• IAMSERV.EXE
• IBMASN
• IBMAVSP
• ICMON
• IOMON98
• LOCKDOWN2000
• LOCKDOWNADVANCED
• LUALL
• LUCOMSERVER
• MCAFEE
• MOOLIVE
• MPFTRAY
• MSNMSG32REGEDIT
• N32SCANW
• NAV
• NAV32_LOADER
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVNT
• NAVRUNR
• NAVW32
• NAVWNT
• NISSERV
• NISUM
• NMAIN
• NOD32
• NORTON
• NPSSVC
• NRESQ32
• NSCHED32
• NSCHEDNT
• NSPLUGIN
• NUPGRADE
• NVC95
• PADMIN
• PAVSCHED
• PCCIOMON
• PCCMAIN
• PCCWIN98
• PCFWALLICON
• PERSFW
• POP3TRAP
• PVIEW
• PVIEW95
• RAV7
• REGEDIT
• RESCUE32
• RMVTRJANSAFEWEB
• SCAM32
• SCAN32
• SIRC32
• SMC
• SPHINX
• SWEEP95
• SYMPROXYSVC
• SYSHELP.EXE
• TBSCAN
• TCPSVS32
• TDS2-
• TDS2-98
• TDS2-NT
• VET95
• VETTRAY
• VSECOMR
• VSHWIN32
• VSSTAT
• WEBSCANX
• WEBTRAP
• WFINDV32
• WINGATE.EXE
• WINK
• WINMGM32.EXE
• WINSERVICES
• ZONEALARM

A list of filenames identical to that in previous W32/Yaha variants is carried within the worm. Unlikely previously however, in testing the worm did not copy itself to the victim machine with any of these filenames (9x and NT/2000).

• Be_Happy.scr
• Best_Friend.scr
• Friend_Finder.exe
• Friend_Happy.scr
• GC_Messenger.exe
• I_Like_You.scr
• Sweet.scr
• True_Love.scr
• colour_of_life.scr
• dance.scr
• friendship.scr
• friendship_funny.scr
• funny.scr
• hotmail_hack.exe
• life.scr
• love.scr
• shake.scr
• world_of_friendship.scr

Method of Infection

Method of Infection -

The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).

It copies itself over network shares.

• Windows Address Book
• MSN Messenger
• .NET Messenger
• Yahoo Pager
• Files matching *.HT*

The 'From' address may vary, as noted above.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A