FanJ
April 3rd, 2002, 09:52 AM
Name: W32/Yaha-B
Type: Win32 worm
Date: 3 April 2002
At the time of writing Sophos has received just one report of
this worm from the wild.
Description:
W32/Yaha-B is a Win32 worm which makes two copies of itself in
C:\Recycled. The first copy has a name made up of five randomly
generated characters and an EXE extension; the second has the
same name with an extra "f" on the end.
The worm then sets the following registry value so that the worm
is run first whenever an EXE file is executed:
HKCR\exefile\shell\open\command\(default) = "C:\Recycled\.exe %1
%*"
When the worm is executed it will start a screensaver that will
manipulate the Desktop display. The user can exit this screen
saver in the usual manner.
W32/Yaha-B sends itself as an attachment to emails with the
following characteristics:
Subject line:
Enjoy this friendship-joke Screen Saver!!!!
or
Fw : Enjoy this friendship-joke Screen Saver!!!!
or *
Have a nice day!!!!
Message body:
This email is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message. Enjoy this
friendship-joke Screen Saver and Check ur friends circle... Send
this screensaver from xww.friendship.com to everyone you consider
a FRIEND, even if it means sending it back to the person who sent
it to you. If it comes back to you, then you'll know you have a
cirle of friends.
*To remove yourself from this mailing list, point your browser
to: xxxx:x/xfriendship.x/remove?freescreensaver *Enter your email
address () in the field provided and click "Unsubscribe". OR...
*Reply to this message with the word "REMOVE" in the subject
line. This message was sent to address X-PMG-Recipient:
Attached file:
Friends.scr
The emails are sent to addresses from the Windows Address Book
(WAB) and to addresses found in *.HT* files.
This worm will also attempt to send SMS messages to
<number>@xbplmobile.com and <number>@xescotelmobile.com, where
<number> is randomly generated apart from an initial five digit
code.
The Internet Explorer start up page will be changed to one of
the following seven addresses: xww.malayalmanorama.com,
xww.asianetglobal.com, xww.kerala.com, xww.india.com,
xww.malayalamchannel.com, xww.sunnt.com/suryatv, xww.achayans.com.
A plain text file with the same randomly generated name as the
copy of the worm in C:\Recycled will be dropped in the Windows
directory.
Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32yahab.html
Note by FanJ:
I have changed the links a little bit to prevent that a reader might click on it.
Type: Win32 worm
Date: 3 April 2002
At the time of writing Sophos has received just one report of
this worm from the wild.
Description:
W32/Yaha-B is a Win32 worm which makes two copies of itself in
C:\Recycled. The first copy has a name made up of five randomly
generated characters and an EXE extension; the second has the
same name with an extra "f" on the end.
The worm then sets the following registry value so that the worm
is run first whenever an EXE file is executed:
HKCR\exefile\shell\open\command\(default) = "C:\Recycled\.exe %1
%*"
When the worm is executed it will start a screensaver that will
manipulate the Desktop display. The user can exit this screen
saver in the usual manner.
W32/Yaha-B sends itself as an attachment to emails with the
following characteristics:
Subject line:
Enjoy this friendship-joke Screen Saver!!!!
or
Fw : Enjoy this friendship-joke Screen Saver!!!!
or *
Have a nice day!!!!
Message body:
This email is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message. Enjoy this
friendship-joke Screen Saver and Check ur friends circle... Send
this screensaver from xww.friendship.com to everyone you consider
a FRIEND, even if it means sending it back to the person who sent
it to you. If it comes back to you, then you'll know you have a
cirle of friends.
*To remove yourself from this mailing list, point your browser
to: xxxx:x/xfriendship.x/remove?freescreensaver *Enter your email
address () in the field provided and click "Unsubscribe". OR...
*Reply to this message with the word "REMOVE" in the subject
line. This message was sent to address X-PMG-Recipient:
Attached file:
Friends.scr
The emails are sent to addresses from the Windows Address Book
(WAB) and to addresses found in *.HT* files.
This worm will also attempt to send SMS messages to
<number>@xbplmobile.com and <number>@xescotelmobile.com, where
<number> is randomly generated apart from an initial five digit
code.
The Internet Explorer start up page will be changed to one of
the following seven addresses: xww.malayalmanorama.com,
xww.asianetglobal.com, xww.kerala.com, xww.india.com,
xww.malayalamchannel.com, xww.sunnt.com/suryatv, xww.achayans.com.
A plain text file with the same randomly generated name as the
copy of the worm in C:\Recycled will be dropped in the Windows
directory.
Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32yahab.html
Note by FanJ:
I have changed the links a little bit to prevent that a reader might click on it.