Content

W32/Yanz.a@MM

Type
Virus
SubType
Email
Discovery Date
11/17/2004
Length
68,608 bytes
Minimum DAT
4407 (11/17/2004)
Updated DAT
4416 (12/22/2004)
Minimum Engine
5.1.00
Description Added
11/17/2004
Description Modified
11/24/2004 9:24 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm written in MSVC which contains its own SMTP engine to construct outgoing messages.   

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (taken from the following list)

  • Forever Sun Yanzi
  • Love and SuN YanZi
  • Free MP3
  • Sun-YanZi Mp3
  • SuN YanZi
  • Sun-YanZi
  • Guvenlik

Body:  (taken from the following list)  

  • I don't want anything. I want to see Sun YanZi
  • My Favourite is Sun YanZi.
  • I want to meet Sun YanZi. I am loving Sun-YanZi Magic.
  • You must to listen Sun-Yanzi. I am enjoying to listen Sun YanZi.

Attachment: (taken from the following list, with an extension of .CMD, .PIF, .SCR or .ZIP )

  • Stephan_Yanzi
  • Love_Sun
  • Sun_Yanzi_Mp3
  • Sun_Yanzi
  • SunYanzi

Target email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • dbx
  • adb
  • asp
  • jsp
  • rtf
  • doc
  • xml
  • txt
  • htm
  • html

The virus does not mail itself to email addresses containing the following strings:

  • @google
  • @norman
  • @sophos
  • @symantec
  • @kaspersky
  • @pandasoftware
  • @microsoft

Peer To Peer Propagation

The virus copies itself to folders on the victim machine that contain the string 'SHAR'. The following enticing filenames are used:

  • Sun YanZi.avi.exe
  • Sun YanZi.mpg.exe
  • Sun YanZi.mpeg.exe
  • Sun YanZi - Shen Qi.exe
  • Sun YanZi - I am not sad.mp3.exe
  • Sun YanZi - Leave me alone.mp3.exe
  • Sun YanZi - forever.mp3.exe
  • Stephan YanZi.Mp3.exe
  • Sun-YanZi.mp3.exe

Installation

When this file is run, it copies itself to the Windows System directory as LSASSS.EXE and YANZI.EXE.

It also creates the following files to perform its functions:

·         %WinDir%\ YanZi.zip (68,732 bytes) - ZIP file containing a copy of the worm

·         %SysDir%\ sun.sys (93,886 bytes) – UUEncoded copy of the worm

·         %SysDir% \sun_yanzi.sys (94,054 bytes) – UUEncoded copy of the ZIP file

The following files are created in the directory where the file was run:

·         en Qi.exe - copy of the worm

·         e – copy of the worm

·         sun_yanzi.htm – harmless HTML file which contains no scripts

It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "Microsoft Kernel" = %SysDir% \LSASSS.EXE     em32\ sun.sys         pQ>   >

Remote Access Component

When this worm is in memory, it will open and listen on TCP port 67.

Process Termination

This worm will terminate processes for MSCONFIG.EXE and REGEDIT.EXE if they are in running.

Symptoms

  • Upon executing the virus, a dialogue is displayed as follows:

  • Existence of the files and registry entry listed above

Method of Infection

  • This virus tries to spread via email.
  • The virus copies itself to folders on the victim machine that contain the string 'SHAR'.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

--Update 11/24/2004

This virus has been updated to Low-Profiled due to media attention at   http://www.webuser.co.uk/news/59666.html .

--

This is a mass-mailing worm written in MSVC which contains its own SMTP engine to construct outgoing messages.   

Mail Propagation

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (taken from the following list)

  • Forever Sun Yanzi
  • Love and SuN YanZi
  • Free MP3
  • Sun-YanZi Mp3
  • SuN YanZi
  • Sun-YanZi
  • Guvenlik

Body:  (taken from the following list)  

  • I don't want anything. I want to see Sun YanZi
  • My Favourite is Sun YanZi.
  • I want to meet Sun YanZi. I am loving Sun-YanZi Magic.
  • You must to listen Sun-Yanzi. I am enjoying to listen Sun YanZi.

Attachment: (taken from the following list, with an extension of .CMD, .PIF, .SCR or .ZIP )

  • Stephan_Yanzi
  • Love_Sun
  • Sun_Yanzi_Mp3
  • Sun_Yanzi
  • SunYanzi

Target email addresses are harvested from the victim machine. Files with the following extensions are searched:

  • dbx
  • adb
  • asp
  • jsp
  • rtf
  • doc
  • xml
  • txt
  • htm
  • html

The virus does not mail itself to email addresses containing the following strings:

  • @google
  • @norman
  • @sophos
  • @symantec
  • @kaspersky
  • @pandasoftware
  • @microsoft

Peer To Peer Propagation

The virus copies itself to folders on the victim machine that contain the string 'SHAR'. The following enticing filenames are used:

  • Sun YanZi.avi.exe
  • Sun YanZi.mpg.exe
  • Sun YanZi.mpeg.exe
  • Sun YanZi - Shen Qi.exe
  • Sun YanZi - I am not sad.mp3.exe
  • Sun YanZi - Leave me alone.mp3.exe
  • Sun YanZi - forever.mp3.exe
  • Stephan YanZi.Mp3.exe
  • Sun-YanZi.mp3.exe

Installation

When this file is run, it copies itself to the Windows System directory as LSASSS.EXE and YANZI.EXE.

It also creates the following files to perform its functions:

·         %WinDir%\ YanZi.zip (68,732 bytes) - ZIP file containing a copy of the worm

·         %SysDir%\ sun.sys (93,886 bytes) – UUEncoded copy of the worm

·         %SysDir% \sun_yanzi.sys (94,054 bytes) – UUEncoded copy of the ZIP file

The following files are created in the directory where the file was run:

·         en Qi.exe - copy of the worm

·         e – copy of the worm

·         sun_yanzi.htm – harmless HTML file which contains no scripts

It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "Microsoft Kernel" = %SysDir% \LSASSS.EXE     em32\ sun.sys         pQ>   >

Remote Access Component

When this worm is in memory, it will open and listen on TCP port 67.

Process Termination

This worm will terminate processes for MSCONFIG.EXE and REGEDIT.EXE if they are in running.

Symptoms

Symptoms -

  • Upon executing the virus, a dialogue is displayed as follows:

  • Existence of the files and registry entry listed above

Method of Infection

Method of Infection -

  • This virus tries to spread via email.
  • The virus copies itself to folders on the victim machine that contain the string 'SHAR'.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A