Content
W32/Yaha.j@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 12/13/2002
- Length
- 25,746 bytes (UPXed)
- Minimum DAT
- 4238 (12/18/2002)
- Updated DAT
- 4309 (12/17/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 12/13/2002
- Description Modified
- 01/16/2003 3:42 PM (PT)
Tab Navigation
Characteristics
There have been numerous postings of this email virus to newsgroups.
McAfee products using the 4177 DATs (release date: Dec 19th 2001) or higher, with program heuristics enabled, will detect this threat as virus or variant New Malware.
Initial testing shows this threat to be buggy. Complete details will be posted once analysis is complete.
Thus far email replication has not been observed in testing. However, strings within the virus suggest the intended message is formatted similarly to at least one previous W32/Yaha variant:
Attachment: using a double extension '.xxx .scr', where 'xxx' is one of the following extensions: PDF, GIF, PPT, JPG, DOC.Body:
| <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from www.truefriends.net to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends. * To remove yourself from this mailing list, point your browser to: http://truefriends.net/remove?freescreen saver * Enter your email address in the field provided and click "Unsubscribe". OR... * Reply to this message with the word "REMOVE" in the subject line. <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> |
The virus contains the following string:
r^0^x~X pR3$@Nt$ @Y3rH$.@?? tHi$ i$ jU$t tH3 b3gInNiNg..?w3 ar3 tH3 gR3@t 1nD1@N$..??w3 k1cK pAk1 a$$..Symptoms
The followed fake error message is displayed when the virus executes for the first time:
![[Application initilisation error]](http://vil.nai.com/images/99883.gif)
The virus copies itself onto the victim machine as WINREG.EXE, NAV32.EXE and MSNMSG32.EXE in the Windows system directory, for example:
C:\WINNT\SYSTEM32\MSNMSG32.EXEThe virus adds the following Registry keys to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"winReg" = C:\WINDOWS\SYSTEM\winReg.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"winReg" = C:\WINDOWS\SYSTEM\winReg.exe
Subsequent execution of EXE files is also hooked:
HKEY_CLASSES_ROOT\exefile\shell\open\command"(Default)"
changed from
"%1" %*to:
"C:\WINDOWS\SYSTEM\nav32.exe""%1"%*Additionally, the virus may copy itself into the Windows directory with one of the following filenames (observed on NT/2000 only in testing):
- bestfriend.scr
- mAtRiX.scr
- EvilDaemon.scr
- Love.scr
- Escort.scr
- NeverMind.scr
- HotShot.scr
- Honey.scr
- ScreenSaver.scr
- LoverScreenSaver.scr
The virus terminates processes containing the following strings, if running:
- NORTON
- NVC95
- FP-WIN
PCCWIN98 - F-PROT95
- F-STOPW
- PVIEW95
- NAVWNT
- NAVRUNR
- NAVLU32
- NAVAPSVC
- NISUM
- SYMPROXYSVC
- RESCUE32
- NISSERV
- VSECOMR
- VETTRAY
- TDS2-NT
- TDS2-98
- SCAN32
- PCFWALLICON
- NSCHED32
FRW.EXE - MCAFEE
- ATRACK
- IAMAPP
- LUCOMSERVER
- LUALL
- NMAIN
- NAVW32
- NAVAPW32
- VSSTAT
- VSHWIN32
- AVSYNMGR
- AVCONSOL
- WEBTRAP
- POP3TRAP
- PCCMAIN
- PCCIOMON
- ESAFE.EXE
- AVPM.EXE
- AVPCC.EXE
- AMON.EXE
- ALERTSVC
- ZONEALARM
- AVP32
- LOCKDOWN2000
- AVP.EXE
- CFINET32
- CFINET
- ICMON
- SAFEWEB
- WEBSCANX
- LOCKDOWNADVANCED
- APACHE.EXE
- ANTIVIR
Method of Infection
The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
There have been numerous postings of this email virus to newsgroups.
McAfee products using the 4177 DATs (release date: Dec 19th 2001) or higher, with program heuristics enabled, will detect this threat as virus or variant New Malware.
Initial testing shows this threat to be buggy. Complete details will be posted once analysis is complete.
Thus far email replication has not been observed in testing. However, strings within the virus suggest the intended message is formatted similarly to at least one previous W32/Yaha variant:
Attachment: using a double extension '.xxx .scr', where 'xxx' is one of the following extensions: PDF, GIF, PPT, JPG, DOC.Body:
| <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from www.truefriends.net to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends. * To remove yourself from this mailing list, point your browser to: http://truefriends.net/remove?freescreen saver * Enter your email address in the field provided and click "Unsubscribe". OR... * Reply to this message with the word "REMOVE" in the subject line. <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> |
The virus contains the following string:
r^0^x~X pR3$@Nt$ @Y3rH$.@?? tHi$ i$ jU$t tH3 b3gInNiNg..?w3 ar3 tH3 gR3@t 1nD1@N$..??w3 k1cK pAk1 a$$..Symptoms
Symptoms -
The followed fake error message is displayed when the virus executes for the first time:
The virus copies itself onto the victim machine as WINREG.EXE, NAV32.EXE and MSNMSG32.EXE in the Windows system directory, for example:
C:\WINNT\SYSTEM32\MSNMSG32.EXEThe virus adds the following Registry keys to hook Windows startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"winReg" = C:\WINDOWS\SYSTEM\winReg.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"winReg" = C:\WINDOWS\SYSTEM\winReg.exe
Subsequent execution of EXE files is also hooked:
HKEY_CLASSES_ROOT\exefile\shell\open\command"(Default)"
changed from
"%1" %*to:
"C:\WINDOWS\SYSTEM\nav32.exe""%1"%*Additionally, the virus may copy itself into the Windows directory with one of the following filenames (observed on NT/2000 only in testing):
- bestfriend.scr
- mAtRiX.scr
- EvilDaemon.scr
- Love.scr
- Escort.scr
- NeverMind.scr
- HotShot.scr
- Honey.scr
- ScreenSaver.scr
- LoverScreenSaver.scr
The virus terminates processes containing the following strings, if running:
- NORTON
- NVC95
- FP-WIN
PCCWIN98 - F-PROT95
- F-STOPW
- PVIEW95
- NAVWNT
- NAVRUNR
- NAVLU32
- NAVAPSVC
- NISUM
- SYMPROXYSVC
- RESCUE32
- NISSERV
- VSECOMR
- VETTRAY
- TDS2-NT
- TDS2-98
- SCAN32
- PCFWALLICON
- NSCHED32
FRW.EXE - MCAFEE
- ATRACK
- IAMAPP
- LUCOMSERVER
- LUALL
- NMAIN
- NAVW32
- NAVAPW32
- VSSTAT
- VSHWIN32
- AVSYNMGR
- AVCONSOL
- WEBTRAP
- POP3TRAP
- PCCMAIN
- PCCIOMON
- ESAFE.EXE
- AVPM.EXE
- AVPCC.EXE
- AMON.EXE
- ALERTSVC
- ZONEALARM
- AVP32
- LOCKDOWN2000
- AVP.EXE
- CFINET32
- CFINET
- ICMON
- SAFEWEB
- WEBSCANX
- LOCKDOWNADVANCED
- APACHE.EXE
- ANTIVIR
Method of Infection
Method of Infection -
The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
