Symantec posts details about these two new viruses/worms at the following pages:

http://securityresponse.symantec.com/avcenter/venc/data/vbs.numgame@mm.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha@mm.html


Enjoy! *;D

Name: VBS/Numgame-A
Aliases: GuessGame
Type: Visual Basic Script worm
Date: 18 February 2002

At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.

Description:

VBS/Numgame-A is an email worm. It spreads as an email with the following properties:

Subject:
Are you <recipient> my valentine?

Message Body:
Hi my valentine, remember me? I ain't seen you in ages! Anyway, check-out and play the attached guess-the-number-game to guess who I am. See you soon, bye-bye!

Attachment:
GuessGame.html
or
GuessGame.vbe

When the HTML file is run it will display a message box
containing the text "Guess Game instructions:" and asking the user to click Yes should an ActiveX dialog box appears.

Depending on the system configuration, an ActiveX warning dialog may then be displayed.

If the user clicks Yes to the ActiveX warning, or no warning appears, the worm will create the file GuessGame.vbe in the Windows directory and execute it.

GuessGame.vbe will first create a copy of itself in the Windows system directory. It will then send an email with the above characteristics to all addresses listed in the user's Outlook Address book.

It will next attempt to set the date to 04-08-1981. Depending on the system settings this will result in the system date changing to 4th August 1981 or 8th April 1981 or remaining unchanged.

It will also set the following registry values in order to
disable the Desktop and the system file checking process.

HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\SFCDisable = 0xFFFFFF9D

HKCU\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\NoDesktop = 1

After setting the registry entries the the worm will attempt to delete all files from the local and network drives. On each affected drive it will also create a file named autoexec.bat in an attempt to delete files with the following extensions:

*.SYS
*.DLL
*.OCX
*.CPL
*.DAT
*.COM
*.EXE
*.CAB
*.INI
*.INF
*.VXD
*.DRV
*.DOC
*.XLS
*.MDB
*.PPT
*.MP3
*.JPG
*.TXT
*.HTM
*.HTML
*.HTA
*.ASP
*.ASPX

from the following directories:

\
Desktop,
Program Files,
My Documents,
Windows,
System,
Temp,
Windows\SYSTEM32,
Windows\COMMAND,
Windows\INF,
Windows\SYSBCKUP,
\Documents and Settings,
\Inetpub

or their equivalents (e.g. WINNT\system32)

Lastly the worm will allow the user to play a guessing game to guess a number between 1 and 100.


Read the analysis at
http://www.sophos.com/virusinfo/analyses/vbsnumgamea.html

Name: W32/Yaha-A
Type: Win32 worm
Date: 20 February 2002

At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.

Description:

W32/Yaha-A is an internet worm which spreads using its own SMTP engine. The worm arrives in an email message with the following characteristics:

Subject:
Melt the Heart of your Valentine with this beautiful Screen saver
or
Fw: Melt the Heart of your Valentine with this beautiful Screen saver
Attachment: valentin.scr

If the attached program is opened it runs as a screen saver, but also copies itself to C:\recycled with the filenames msmdm.exe and msscra.exe.

The worm changes the registry key

HKCR\exefile\shell\open\command

so that the worm file msmdm.exe is run before any file with the extension EXE.

W32/Yaha-A uses the Windows address book to find email addresses to send itself to. Email addresses will also be extracted from files with the extension HT*. Addresses found are stored in the files screendback.dll and screend.dll.

The SMTP server used to send the emails is chosen either from the registry or from the following list inside the worm body:

<long list of links deleted>


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32yahaa.html