McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Yarner.a (AVP)

• I-Worm.Yarner.b (AVP)

• Trojan.Yaw.20 (MkS_vir)

• W32.Yarner.A@mm (NAV)

• W32/Yarner (Sophos)

• W32/Yarner.A@mm (Norman)

• W32/Yarner@MM

• Win32/Yarner.A worm (ESET)

• Win32/Yarner.B@mm (GeCAD)

• Win32/Yaw.A worm (ESET)

• Win32/Yawer

• Yaw

• yawsetup.exe

Characteristics

-- Update 2/20/2002 --
AVERT has lowered the risk assesment to LOW.

This is a new worm seen by AVERT researchers in Germany and the UK today, 19 Feb 2002.

This worm has its own SMTP e-mailing engine which gets e-mail addresses from the Microsoft Outlook address book and .pl, .php, .htm, .shtm, and .cgi files, storing them in the file kernei32.daa.

The worm gets the system default SMTP server from a registry key

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
  Accounts\SMTP Server

It stores this and other server details (hardcoded within the worm) in the file kernei32.das.

The worm copies itself to the Windows folder with a randomly selected name, and creates registry run key value to load the worm at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Runonce

It also replaces notepad.exe and copies the original notepad.exe to notedpad.exe. The worm's payload is to delete all not-locked files from drive c:

The virus arrives in an email message with the following information:

From: (forged) webmaster@trojaner-info.de
Subject: Trojaner-Info Newsletter 18.02.02 (date is updated according to infected machine)
Attachment: yawsetup.exe

The message is formatted as follows (destination email address removed). Note that the people and websites mentioned are innocent and not the originators of the virus.

In full, and translated, this reads:

Hello! 

Welcome to the latest newsletter from Trojaner-Info.de 

Content: 

1. YAW 2.0 - the latest version of our porn-dialer warner 

**** 

1. YAW 2.0 - Our porn-dialer warner in its latest version. 

Our widely used Dialerwarner YAW is now available in a brand new and enhanced version. All
subscribers to our newsletter get this version for free with this newsletter.

Just start the attached file and YAW 2.0 installs itself. 

If there are any questions the programmer of this unique tool is available at 
[...]

Have fun with YAW! 

http://www.trojaner-info.de/dialer/yaw.shtml

**** 

That's it with the latest Trojaner-Info news, thank you for your attention and we wish all our
readers a pleasant week. 

The rest is standard newsletter headers. Again, the people and websites mentioned are not the true originators of the virus.

At the end of the file is a comment:

Als kleines Dankeschön von der Pornoindustrie. Das ist nur der Anfang, wenn ihr nicht aufhoert. 

Translation of the comment: A little present from the porn-industry. This is just the beginning if you don't stop.

Symptoms

Presence of the following files in %windir%:

• NOTEDPAD.EXE
• KERNEL32.DAA
• KERNEL32.DAS

Method of Infection

Running yawsetup.exe will infect the system.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Yarner.a (AVP)

• I-Worm.Yarner.b (AVP)

• Trojan.Yaw.20 (MkS_vir)

• W32.Yarner.A@mm (NAV)

• W32/Yarner (Sophos)

• W32/Yarner.A@mm (Norman)

• W32/Yarner@MM

• Win32/Yarner.A worm (ESET)

• Win32/Yarner.B@mm (GeCAD)

• Win32/Yaw.A worm (ESET)

• Win32/Yawer

• Yaw

• yawsetup.exe

Characteristics

Characteristics -

-- Update 2/20/2002 --
AVERT has lowered the risk assesment to LOW.

This is a new worm seen by AVERT researchers in Germany and the UK today, 19 Feb 2002.

This worm has its own SMTP e-mailing engine which gets e-mail addresses from the Microsoft Outlook address book and .pl, .php, .htm, .shtm, and .cgi files, storing them in the file kernei32.daa.

The worm gets the system default SMTP server from a registry key

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\
  Accounts\SMTP Server

It stores this and other server details (hardcoded within the worm) in the file kernei32.das.

The worm copies itself to the Windows folder with a randomly selected name, and creates registry run key value to load the worm at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Runonce

It also replaces notepad.exe and copies the original notepad.exe to notedpad.exe. The worm's payload is to delete all not-locked files from drive c:

The virus arrives in an email message with the following information:

From: (forged) webmaster@trojaner-info.de
Subject: Trojaner-Info Newsletter 18.02.02 (date is updated according to infected machine)
Attachment: yawsetup.exe

The message is formatted as follows (destination email address removed). Note that the people and websites mentioned are innocent and not the originators of the virus.

In full, and translated, this reads:

Hello! 

Welcome to the latest newsletter from Trojaner-Info.de 

Content: 

1. YAW 2.0 - the latest version of our porn-dialer warner 

**** 

1. YAW 2.0 - Our porn-dialer warner in its latest version. 

Our widely used Dialerwarner YAW is now available in a brand new and enhanced version. All
subscribers to our newsletter get this version for free with this newsletter.

Just start the attached file and YAW 2.0 installs itself. 

If there are any questions the programmer of this unique tool is available at 
[...]

Have fun with YAW! 

http://www.trojaner-info.de/dialer/yaw.shtml

**** 

That's it with the latest Trojaner-Info news, thank you for your attention and we wish all our
readers a pleasant week. 

The rest is standard newsletter headers. Again, the people and websites mentioned are not the true originators of the virus.

At the end of the file is a comment:

Als kleines Dankeschön von der Pornoindustrie. Das ist nur der Anfang, wenn ihr nicht aufhoert. 

Translation of the comment: A little present from the porn-industry. This is just the beginning if you don't stop.

Symptoms

Symptoms -

Presence of the following files in %windir%:

• NOTEDPAD.EXE
• KERNEL32.DAA
• KERNEL32.DAS

Method of Infection

Method of Infection -

Running yawsetup.exe will infect the system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A