McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Yenik (AVP)

• W32.Yenik.A@mm (NAV)

• W32/Yenik.A.worm (Panda)

Characteristics

This threat is detected with DATs previous to 4323 as New Malware.b when scanning compressed files (default option) with program heuristics enabled.

This worm spreads by copying itself to the shared directory of various P2P clients and ICQ. It also tries to spread through email, though this was not observed to be successful in testing.

If the worm is not run from the Windows System directory or one of the default "shared" directories listed below, it will crash after creating a 0 byte Yeni.txt in the directory the file was run from.  If the worm is run from one of these expected directories, it will create copies of itself using the following filenames:

• DivX Pro.exe
• Ftp Hacker.exe
• GTA Keygen.exe
• Half Life 2 Original KeyGen.exe
• Hotmail Hacker.exe
• ICQ Hacker.exe
• Kaspersky Anti-Hacker.exe
• Linux Kernel Hacker.exe
• Matrix Screen Saver.exe
• NetBIOS Hacker.exe
• New Exploit.exe
• New Keylogger.exe
• SYSTEM\NewVirusCleaner.exe
• PopStar-Abidin.mp3.exe
• PopStar-Bayhan.mp3.exe
• PopStar-Firdevs.mp3.exe

These copies will be created in the following default "shared" folders for various applications:

• C:\Program Files\Morpheus\My Shared Folder\
• C:\Program Files\eMule\Incoming\   
• C:\Program Files\eDonkey2000\Incoming\ 
• C:\Program Files\Bearshare\Shared\ 
• C:\Program Files\Grokster\My Grokster\ 
• C:\Program Files\ICQ\Shared Folder\
• C:\Program Files\Kazaa Lite K++\My Shared Folder\  
• C:\Program Files\Kazaa Lite\My Shared Folder\  
• C:\Program Files\Kazaa\My Shared Folder\

It also copies itself as one of the following filenames in the directory it was run from, and makes a copy of the file to be sent by email in Yeni.txt (25,845 bytes):

• PrivateMessage.exe
• VirusHunherII.exe  
• W32-Myd00m_Blocker.exe 
• Win98Security.exe  
• Patcher.exe
• InternetExplorerSecurity.exe   
• FreeAntivirus.exe  

In creating the email it tries to send, strings in the file indicate that its characteristics will be chosen from the following lists of possiblities.

Subject:

• Big Virus Cleaner Tools
• Win98 Security Tools
• New Big Patcher
• New Private Message
• Free Antivirus 
• Internet Explorer Security Bug Fix 
• Virus Hunter in your box   
• No Virus and New Life  
• New Security Patcher

Message Body:

• What are Viruses, Trojan Horses and Worms? "Though these terms are often used interchangeably, they refer to different types of "malicious computer programs.  
• Guide to Online Security "Protecting your privacy and information online is extremely important to Yahoo!. We are " constantly evaluating our security technologies to ensure we are taking every reasonable "step to protect your personal information.   
• Disabling System Restore (Windows Me/XP) "If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System" Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your "computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System "Restore may back up the virus, worm, or Trojan on the computer.

The email addresses it tries to use will be taken from the Windows Address book and sent through the default SMTP server on the infected machine.

This worm does not create any registry entries to run itself at startup, so once the worm is removed from memory, it will not start again.  This will happen either as the worm crashes if run from the wrong directory, as it ceases after trying to email, or if the infected system is restarted manually.

Symptoms

Presence of the files listed above.

Method of Infection

This worm spreads by copying itself to the default shared folders of certain P2P clients and ICQ.  It also tries to spread via email.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Yenik (AVP)

• W32.Yenik.A@mm (NAV)

• W32/Yenik.A.worm (Panda)

Characteristics

Characteristics -

This threat is detected with DATs previous to 4323 as New Malware.b when scanning compressed files (default option) with program heuristics enabled.

This worm spreads by copying itself to the shared directory of various P2P clients and ICQ. It also tries to spread through email, though this was not observed to be successful in testing.

If the worm is not run from the Windows System directory or one of the default "shared" directories listed below, it will crash after creating a 0 byte Yeni.txt in the directory the file was run from.  If the worm is run from one of these expected directories, it will create copies of itself using the following filenames:

• DivX Pro.exe
• Ftp Hacker.exe
• GTA Keygen.exe
• Half Life 2 Original KeyGen.exe
• Hotmail Hacker.exe
• ICQ Hacker.exe
• Kaspersky Anti-Hacker.exe
• Linux Kernel Hacker.exe
• Matrix Screen Saver.exe
• NetBIOS Hacker.exe
• New Exploit.exe
• New Keylogger.exe
• SYSTEM\NewVirusCleaner.exe
• PopStar-Abidin.mp3.exe
• PopStar-Bayhan.mp3.exe
• PopStar-Firdevs.mp3.exe

These copies will be created in the following default "shared" folders for various applications:

• C:\Program Files\Morpheus\My Shared Folder\
• C:\Program Files\eMule\Incoming\   
• C:\Program Files\eDonkey2000\Incoming\ 
• C:\Program Files\Bearshare\Shared\ 
• C:\Program Files\Grokster\My Grokster\ 
• C:\Program Files\ICQ\Shared Folder\
• C:\Program Files\Kazaa Lite K++\My Shared Folder\  
• C:\Program Files\Kazaa Lite\My Shared Folder\  
• C:\Program Files\Kazaa\My Shared Folder\

It also copies itself as one of the following filenames in the directory it was run from, and makes a copy of the file to be sent by email in Yeni.txt (25,845 bytes):

• PrivateMessage.exe
• VirusHunherII.exe  
• W32-Myd00m_Blocker.exe 
• Win98Security.exe  
• Patcher.exe
• InternetExplorerSecurity.exe   
• FreeAntivirus.exe  

In creating the email it tries to send, strings in the file indicate that its characteristics will be chosen from the following lists of possiblities.

Subject:

• Big Virus Cleaner Tools
• Win98 Security Tools
• New Big Patcher
• New Private Message
• Free Antivirus 
• Internet Explorer Security Bug Fix 
• Virus Hunter in your box   
• No Virus and New Life  
• New Security Patcher

Message Body:

• What are Viruses, Trojan Horses and Worms? "Though these terms are often used interchangeably, they refer to different types of "malicious computer programs.  
• Guide to Online Security "Protecting your privacy and information online is extremely important to Yahoo!. We are " constantly evaluating our security technologies to ensure we are taking every reasonable "step to protect your personal information.   
• Disabling System Restore (Windows Me/XP) "If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System" Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your "computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System "Restore may back up the virus, worm, or Trojan on the computer.

The email addresses it tries to use will be taken from the Windows Address book and sent through the default SMTP server on the infected machine.

This worm does not create any registry entries to run itself at startup, so once the worm is removed from memory, it will not start again.  This will happen either as the worm crashes if run from the wrong directory, as it ceases after trying to email, or if the infected system is restarted manually.

Symptoms

Symptoms -

Presence of the files listed above.

Method of Infection

Method of Infection -

This worm spreads by copying itself to the default shared folders of certain P2P clients and ICQ.  It also tries to spread via email.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A