Content

W32/Yaha.y@MM

Type
Virus
SubType
Internet Worm
Discovery Date
09/17/2003
Length
66048 bytes
Minimum DAT
4293 (09/17/2003)
Updated DAT
4309 (12/17/2003)
Minimum Engine
5.1.00
Description Added
09/17/2003
Description Modified
09/17/2003 10:09 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This variant of W32/Yaha is packed using ASPack and written in MSVC.

This worm propagates via email and over network shares. It uses its own built-in SMTP engine for constructing messages. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against remote machines (various targets are hard-coded within the worm).

Installation

Upon execution, the trojan installs itself into the %Sysdir% directory as:

  • MSEXEC.EXE
  • MSUPDAT.EXE
  • TASKMGR32.DLL

    (Where %Windir% is the Windows directory, for example C:\WINDOWS)
    (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

    The following Registry key is added to hook system startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "MicrosoftServiceManager " = "C:\%sysdir%\msupdat.exe"

    The following  registry is modified so that it  runs whenever an .EXE, .BAT and .COM file is executed:

    • HKEY_CLASSES_ROOT\exefile\shell\open\command "Default " = "%Sysdir%\ MSEXEC.EXE""%1"%*"
    • HKEY_CLASSES_ROOT\batfile\shell\open\command "Default " = "%Sysdir%\ MSEXEC.EXE""%1"%*"
    • HKEY_CLASSES_ROOT\comfile\shell\open\command "Default " = "%Sysdir%\ MSEXEC.EXE""%1"%*"    

    The worm looks for a WIN.INI file in specific folders (hardcoded within worm) on remote shares (only on mapped network drives in testing). If found, it copies itself to that folder as REG32.EXE, and adds a hook into the WIN.INI file:

    [windows]
    run=REGP32.EXE

    A list of searched locations is shown below:

    • \WINDOWS\WIN.INI
    • \WIN98\WIN.INI
    • \WIN95\WIN.INI
    • \WINNT\WIN.INI
    • \WIN\WIN.INI
    • \WINME\WIN.INI
    • \WINXP\WIN.INI

    Mail Propogation

    This worm uses its own  SMTP Engine to send out messages from an infected system.

    The messages are constructed in the same way as mentioned for the description of W32/Yaha.x@MM .

    The files, HOSTS and LMHOSTS, in the Windows folder are modified to prevent the user from accessing the following Web sites:

    • www.symantec.com  
    • www.kaspersky.com
    • www.mcafee.com
    • www.microsoft.com
    • www.nai.com
    • www.sophos.com
    • www.avp.ru

    Denial Of Service 

    This worm performs a denial of service attack on the following sites:

    • jamaat.org
    • klc.org.pk
    • pak.gov.pk
    • piac.com.pk
    • ummah.org.uk

    • Symptoms

    • Existence of the files/Registry keys detailed above

    Method of Infection

    The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).

    It copies itself over network shares.

    Although mailing has not been observed in testing at the time of writing, strings within the worm suggest that it mails itself out to all email addresses found in:

    • Windows Address Book
    • MSN Messenger
    • .NET Messenger
    • Yahoo Pager
    • Files matching *.HT*

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    This variant of W32/Yaha is packed using ASPack and written in MSVC.

    This worm propagates via email and over network shares. It uses its own built-in SMTP engine for constructing messages. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against remote machines (various targets are hard-coded within the worm).

    Installation

    Upon execution, the trojan installs itself into the %Sysdir% directory as:

  • MSEXEC.EXE
  • MSUPDAT.EXE
  • TASKMGR32.DLL

    (Where %Windir% is the Windows directory, for example C:\WINDOWS)
    (Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

    The following Registry key is added to hook system startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "MicrosoftServiceManager " = "C:\%sysdir%\msupdat.exe"

    The following  registry is modified so that it  runs whenever an .EXE, .BAT and .COM file is executed:

    • HKEY_CLASSES_ROOT\exefile\shell\open\command "Default " = "%Sysdir%\ MSEXEC.EXE""%1"%*"
    • HKEY_CLASSES_ROOT\batfile\shell\open\command "Default " = "%Sysdir%\ MSEXEC.EXE""%1"%*"
    • HKEY_CLASSES_ROOT\comfile\shell\open\command "Default " = "%Sysdir%\ MSEXEC.EXE""%1"%*"    

    The worm looks for a WIN.INI file in specific folders (hardcoded within worm) on remote shares (only on mapped network drives in testing). If found, it copies itself to that folder as REG32.EXE, and adds a hook into the WIN.INI file:

    [windows]
    run=REGP32.EXE

    A list of searched locations is shown below:

    • \WINDOWS\WIN.INI
    • \WIN98\WIN.INI
    • \WIN95\WIN.INI
    • \WINNT\WIN.INI
    • \WIN\WIN.INI
    • \WINME\WIN.INI
    • \WINXP\WIN.INI

    Mail Propogation

    This worm uses its own  SMTP Engine to send out messages from an infected system.

    The messages are constructed in the same way as mentioned for the description of W32/Yaha.x@MM .

    The files, HOSTS and LMHOSTS, in the Windows folder are modified to prevent the user from accessing the following Web sites:

    • www.symantec.com  
    • www.kaspersky.com
    • www.mcafee.com
    • www.microsoft.com
    • www.nai.com
    • www.sophos.com
    • www.avp.ru

    Denial Of Service 

    This worm performs a denial of service attack on the following sites:

    • jamaat.org
    • klc.org.pk
    • pak.gov.pk
    • piac.com.pk
    • ummah.org.uk

    • Symptoms

    Symptoms -

    • Existence of the files/Registry keys detailed above

    Method of Infection

    Method of Infection -

    The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).

    It copies itself over network shares.

    Although mailing has not been observed in testing at the time of writing, strings within the worm suggest that it mails itself out to all email addresses found in:

    • Windows Address Book
    • MSN Messenger
    • .NET Messenger
    • Yahoo Pager
    • Files matching *.HT*

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A