McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Yaha.F@mm (Symantec)

• W32/Lentin.E (Panda)

• W32/Yaha-E (Sophos)

• Worm/Lentin.F (CentralCommand)

• WORM_YAHA.E (Trend)

• Yaha.E (F-Secure)

Characteristics

This mass-mailing worm attempts to send itself using SMTP to addresses found on the local system. The virus arrives in an email message which contains the following information:

From: The from address may be forged (or spoofed) by the virus in such a way that the apparent sender was not the actual sender.
Subject: Fw: (any of the following strings and string combinations): searching for true Love, you care ur friend, Who is ur Best Friend, make ur friend happy, True Love, Dont wait for long time, Free Screen saver, Friendship Screen saver, Looking for Friendship, Need a friend?, Find a good friend, Best Friends, I am For u, Life for enjoyment, Nothink to worryy, Ur My Best Friend, Say 'I Like You' , To ur friend, Easy Way to revel ur love, Wowwwwwwwwwww check it, Send This to everybody u like, Enjoy Romantic life, Let's Dance and forget pains, war Againest Loneliness, How sweet this Screen saver, Let's Laugh, One Way to Love, Learn How To Love, Are you looking for Love, love speaks from the heart, Enjoy friendship, Shake it baby, Shake ur friends, One Hackers Love, Origin of Friendship, The world of lovers, The world of Friendship, Check ur friends Circle Friendship, how are you, U r the person? Hi, U realy Want this, Romantic, humour, New, Wonderfool, excite, Cool, charming, Idiot, Nice, Bulls--t, One, Funny, Great, LoveGangs, Shaking, powful, Joke, Interesting, Screensaver, Friendship, Love, relations, stuff, to ur friends, to ur lovers, for you, to see, to check, to watch, to enjoy, or to share)

Note: The body contains constructed URLs. These addresses are built from the following strings: screensaver, screensaver4u, screensaverforu, freescreensaver, love, lovers, lovescr, loverscreensaver, loversgang, loveshore, love4u, lovers, enjoylove, sharelove, shareit, checkfriends, urfriend, friendscircle, friendship, friends, friendscr, friends, friends4u, friendship4u, friendshipbird, friendshipforu, friendsworld, werfriends, passion, bulls--tscr, shakeit, shakescr, shakinglove, shakingfriendship, passionup, rishtha, greetings, lovegreetings, friendsgreetings, friendsearch, lovefinder, truefriends, truelovers, f--ker, followed by .com, .net, or .org.

Body:

Hi Check the Attachement .. See u or Hi Check the Attachement .. or Attached one Gift for u.. or wOW CHECK THIS sender's name then This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:sender's email address For further assistance, please contact < postmaster@constructed url > If you do so, please include this problem report. You can delete your own text from the message returned below. Copy of your message, including all the headers is attached or ----- Original Message ----- From: "freescreensaver" < constructed url > To: < recipient's address > Sent: date/time Subject: constructed random subject This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from www.constructed url to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends. * To remove yourself from this mailing list, point your browser to: http://constructed url/remove?freescreensaver * Enter your email address (recipient's address) in the field provided and click "Unsubscribe". OR... * Reply to this message with the word "REMOVE" in the subject line. This message was sent to address recipient's address X-PMG-Recipient: recipient's address <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> or The message may contain fragements of files found on the infected system followed by: . . Check the attachment or . . See the attachment or . . Enjoy the attachment or . . More details attached

Attachment: the file extension is built off 2 strings (".doc", ".mp3", ".xls", ".wav", ".txt", ".jpg", ".gif", ".dat", ".bmp", ".htm", ".mpg", ".mdb", ".zip", or "" and then ".pif", ".bat", or ".scr"), while the filename is chosen from the following list: loveletter, resume, biodata, dailyreport, mountan, goldfish, weeklyreport, report, or love, or may be the name of a file found on the infected system.

Some messages sent exploit the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability, while others do not. If the exploit is used, unpatched system will automatically execute the attachment. On other systems, the attachment must be run manually.

Once run, the virus copies itself to Recycle Bin with a random 4 character name and hooks the registry to load itself whenever .EXE files are run:

• HKEY_CLASSES_ROOT\exefile\shell\open\command\default="%virus_path%" %1 %*"

A textfile is saved to the Windows directory, using the same random name. This text file contains the text:

  <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> 

iNDian sNakes pResents yAha.E

iNDian hACkers,Vxers c0me & w0Rk wITh uS & f--k tHE GFORCE-pAK s--tes

bY

sNAkeeYes,c0Bra

 <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> 

The worm tries to contact the website, http://www.pak.gov.pk, several times a minute.

Symptoms

When run, the virus may display a message box. The message displayed is chosen from the following list:

• Ur My Best Friend!!
• No Configuration is availabile Now
• Config
• madd
• U r so cute today #!#!
• True Love never ends
• I like U very much!!!
• U r My Best Friend

A screen saver may be displayed, and the image may shake back and forth:

Method of Infection

When run, the virus may try to terminate the following processes if those are running in memory:

• ANTIVIR
• ATRACK
• AVCONSOL
• AVP.EXE
• AVP32
• AVSYNMGR
• CFINET
• CFINET32
• F-PROT95
• FP-WIN
• F-STOPW
• IAMAPP
• ICMON
• IOMON98
• LOCKDOWN2000
• LUALL
• LUCOMSERVER
• MCAFEE
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVRUNR
• NAVW32
• NAVWNT
• NISSERV
• NISUM
• NMAIN
• NORTON
• NVC95
• PCCWIN98
• POP3TRAP
• PVIEW95
• RESCUE32
• SAFEWEB
• SCAM32
• SIRC32
• SYMPROXYSVC
• VSHWIN32
• VSSTAT
• WEBSCANX
• WEBTRAP
• WINK
• ZONEALARM

The virus tries to gather email addresses from MAILTO links within *ht*, and *HoTMaiL* files, the Windows Address Book, and the MSN Messenger, ICQ, and Yahoo Pager contact lists. Messages are sent to the addresses found as mentionned above, using SMTP. The default SMTP server is retrieved from the registry:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

The worm also saves a MIME encoded copy of itself to the TEMP directory as "kitkat", which it uses when mass-mailing itself out.

The worm contains code to spread via network shares. It looks for shares with the following names:

• WIN
• WIN95
• WIN98
• WINDOWS
• WINNT
• WINME
• WINXP

It attempts to copy itself to these shares with the name MSTASKMON.EXE and modify the remote WIN.INI to load the worm at startup.

Removal

Use current engine and DAT files for detection and removal.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Note: The command-line scanner, SCAN.EXE, needs to be run from within the Windows environment in order for registry repair to succeed. Booting to a DOS prompt prior to running SCAN.EXE will result in incomplete virus removal where registry repair is required.

1. Ensure that you are using the minimum DAT (specified above) or higher
2. Close all running applications
3. Disconnect the system from the network
4. Click START | RUN, type command and hit ENTER
5. Change to the VirusScan engine directory:
   • Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
   WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
6. Type scan.exe /adl /clean and hit ENTER
7. After scanning and removal is complete, reboot the system and reconnect to the network

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Yaha.g.dam

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Yaha.F@mm (Symantec)

• W32/Lentin.E (Panda)

• W32/Yaha-E (Sophos)

• Worm/Lentin.F (CentralCommand)

• WORM_YAHA.E (Trend)

• Yaha.E (F-Secure)

Characteristics

Characteristics -

This mass-mailing worm attempts to send itself using SMTP to addresses found on the local system. The virus arrives in an email message which contains the following information:

From: The from address may be forged (or spoofed) by the virus in such a way that the apparent sender was not the actual sender.
Subject: Fw: (any of the following strings and string combinations): searching for true Love, you care ur friend, Who is ur Best Friend, make ur friend happy, True Love, Dont wait for long time, Free Screen saver, Friendship Screen saver, Looking for Friendship, Need a friend?, Find a good friend, Best Friends, I am For u, Life for enjoyment, Nothink to worryy, Ur My Best Friend, Say 'I Like You' , To ur friend, Easy Way to revel ur love, Wowwwwwwwwwww check it, Send This to everybody u like, Enjoy Romantic life, Let's Dance and forget pains, war Againest Loneliness, How sweet this Screen saver, Let's Laugh, One Way to Love, Learn How To Love, Are you looking for Love, love speaks from the heart, Enjoy friendship, Shake it baby, Shake ur friends, One Hackers Love, Origin of Friendship, The world of lovers, The world of Friendship, Check ur friends Circle Friendship, how are you, U r the person? Hi, U realy Want this, Romantic, humour, New, Wonderfool, excite, Cool, charming, Idiot, Nice, Bulls--t, One, Funny, Great, LoveGangs, Shaking, powful, Joke, Interesting, Screensaver, Friendship, Love, relations, stuff, to ur friends, to ur lovers, for you, to see, to check, to watch, to enjoy, or to share)

Note: The body contains constructed URLs. These addresses are built from the following strings: screensaver, screensaver4u, screensaverforu, freescreensaver, love, lovers, lovescr, loverscreensaver, loversgang, loveshore, love4u, lovers, enjoylove, sharelove, shareit, checkfriends, urfriend, friendscircle, friendship, friends, friendscr, friends, friends4u, friendship4u, friendshipbird, friendshipforu, friendsworld, werfriends, passion, bulls--tscr, shakeit, shakescr, shakinglove, shakingfriendship, passionup, rishtha, greetings, lovegreetings, friendsgreetings, friendsearch, lovefinder, truefriends, truelovers, f--ker, followed by .com, .net, or .org.

Body:

Hi Check the Attachement .. See u or Hi Check the Attachement .. or Attached one Gift for u.. or wOW CHECK THIS sender's name then This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:sender's email address For further assistance, please contact < postmaster@constructed url > If you do so, please include this problem report. You can delete your own text from the message returned below. Copy of your message, including all the headers is attached or ----- Original Message ----- From: "freescreensaver" < constructed url > To: < recipient's address > Sent: date/time Subject: constructed random subject This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from www.constructed url to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends. * To remove yourself from this mailing list, point your browser to: http://constructed url/remove?freescreensaver * Enter your email address (recipient's address) in the field provided and click "Unsubscribe". OR... * Reply to this message with the word "REMOVE" in the subject line. This message was sent to address recipient's address X-PMG-Recipient: recipient's address <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> or The message may contain fragements of files found on the infected system followed by: . . Check the attachment or . . See the attachment or . . Enjoy the attachment or . . More details attached

Attachment: the file extension is built off 2 strings (".doc", ".mp3", ".xls", ".wav", ".txt", ".jpg", ".gif", ".dat", ".bmp", ".htm", ".mpg", ".mdb", ".zip", or "" and then ".pif", ".bat", or ".scr"), while the filename is chosen from the following list: loveletter, resume, biodata, dailyreport, mountan, goldfish, weeklyreport, report, or love, or may be the name of a file found on the infected system.

Some messages sent exploit the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability, while others do not. If the exploit is used, unpatched system will automatically execute the attachment. On other systems, the attachment must be run manually.

Once run, the virus copies itself to Recycle Bin with a random 4 character name and hooks the registry to load itself whenever .EXE files are run:

• HKEY_CLASSES_ROOT\exefile\shell\open\command\default="%virus_path%" %1 %*"

A textfile is saved to the Windows directory, using the same random name. This text file contains the text:

  <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> 

iNDian sNakes pResents yAha.E

iNDian hACkers,Vxers c0me & w0Rk wITh uS & f--k tHE GFORCE-pAK s--tes

bY

sNAkeeYes,c0Bra

 <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> 

The worm tries to contact the website, http://www.pak.gov.pk, several times a minute.

Symptoms

Symptoms -

When run, the virus may display a message box. The message displayed is chosen from the following list:

• Ur My Best Friend!!
• No Configuration is availabile Now
• Config
• madd
• U r so cute today #!#!
• True Love never ends
• I like U very much!!!
• U r My Best Friend

A screen saver may be displayed, and the image may shake back and forth:

Method of Infection

Method of Infection -

When run, the virus may try to terminate the following processes if those are running in memory:

• ANTIVIR
• ATRACK
• AVCONSOL
• AVP.EXE
• AVP32
• AVSYNMGR
• CFINET
• CFINET32
• F-PROT95
• FP-WIN
• F-STOPW
• IAMAPP
• ICMON
• IOMON98
• LOCKDOWN2000
• LUALL
• LUCOMSERVER
• MCAFEE
• NAVAPSVC
• NAVAPW32
• NAVLU32
• NAVRUNR
• NAVW32
• NAVWNT
• NISSERV
• NISUM
• NMAIN
• NORTON
• NVC95
• PCCWIN98
• POP3TRAP
• PVIEW95
• RESCUE32
• SAFEWEB
• SCAM32
• SIRC32
• SYMPROXYSVC
• VSHWIN32
• VSSTAT
• WEBSCANX
• WEBTRAP
• WINK
• ZONEALARM

The virus tries to gather email addresses from MAILTO links within *ht*, and *HoTMaiL* files, the Windows Address Book, and the MSN Messenger, ICQ, and Yahoo Pager contact lists. Messages are sent to the addresses found as mentionned above, using SMTP. The default SMTP server is retrieved from the registry:

• HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

The worm also saves a MIME encoded copy of itself to the TEMP directory as "kitkat", which it uses when mass-mailing itself out.

The worm contains code to spread via network shares. It looks for shares with the following names:

• WIN
• WIN95
• WIN98
• WINDOWS
• WINNT
• WINME
• WINXP

It attempts to copy itself to these shares with the name MSTASKMON.EXE and modify the remote WIN.INI to load the worm at startup.

Removal -

Removal -

Use current engine and DAT files for detection and removal.

Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

Note: The command-line scanner, SCAN.EXE, needs to be run from within the Windows environment in order for registry repair to succeed. Booting to a DOS prompt prior to running SCAN.EXE will result in incomplete virus removal where registry repair is required.

1. Ensure that you are using the minimum DAT (specified above) or higher
2. Close all running applications
3. Disconnect the system from the network
4. Click START | RUN, type command and hit ENTER
5. Change to the VirusScan engine directory:
   • Win9x/ME - Type cd \progra~1\common~1\networ~1\viruss~1\40~1.xx and hit ENTER
   WinNT/2K/XP - Type cd \progra~1\common~1\networ~1\viruss~1\4.0.xx and hit ENTER
6. Type scan.exe /adl /clean and hit ENTER
7. After scanning and removal is complete, reboot the system and reconnect to the network

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Yaha.g.dam