yup thats right there completly useless now i did an updated viruse check with nortion and nothing happend but when i ran a scan with tds Positive variant identification: YAB 2.00 yuck

further investigation show that no av has it in there data bases turns out hackers or script kiddies and some piraters have been coating files and aplications with this and have been able to go completly under any av program the only thing that detected it was TDS

this came from a script kiddy site and look what they say
Using YAB v2.00 Binder , you can easily get the files to slip through anti-virus detection, and hence you can install trojans and backdoors without them realising.

and its true cause i just got done deleting the little bugger only thing that found it was tds

If no av vendor has info on this malware how did you find out this information on it?

May I also suggest that you submit it to a few vendors for their examination, thats presuming it isn't a false positive.

edit,I see,posted reply a tad too late. I still suggest you submit it to the vendors,if you have it still. Mind you all this is still supposing someone is idiot enough to run an executable or similar from unsolicited sources,hopefully the combination of Heuristics plus firewall should put pay to any antics at worst case.

i just wanted it off my dang os i wasnt purposely playing with it i dont think it was a false positive im perty sure it the real deal espechially when the only guys with information on it was the bad guys.

thank god we have galvin hes always up to date.

as for submitting it i wont even dream of dowenloading that algain on purpose,

but if a vendor wants it ill give him the link to dowenload it so long is my name is kept privatley and confedinthial as not to incriminate me typ thing lol=)

still its geting perty scary out there people are munipulating varients of sub 7 and zombie with yab not to mention some dangeriouse mutations.

if it was a false positive then it still strange that the bad guys are braging about it coincidence?

I will not be removing my AV as of yet. I had never received a Klez worm via email prior to 3 days ago and in the last three days I have received nothing short of 5 per day.

Ifn' I hadn't a had my NOD32 I would be purchasing a new hard drive three times over.

Edit- I just read me email for the first time today and had another 7 Klez emails. When it rains it pours.

Sir Blaze,

-{ Quote: "yup thats right there completly useless now i did an updated viruse check with nortion and nothing happend but when i ran a scan with tds Positive variant identification: YAB 2.00 yuck" }-

Well, IMHO it's not a nastie that a specific anti-virus needs to detect - rather an anti-trojan issue.

-{ Quote: "still its geting perty scary out there people are munipulating varients of sub 7 and zombie with yab not to mention some dangeriouse mutations" }-

Quite common these days - reason the more to have a good and updated anti-trojan installed and running ;)

regards.

paul

Maybe I'm lucky but I've never had a Klez infected mail yet.
*Tinribs touches everything made of wood in sight*

Just in case I have downloaded a copy, password protected it and sent it to 6 different av vendors, I feel, although they may be aware, I have done the right thing.

-{ Quote: " quoting: Tinribs link=board=24;threadid=3227;start=0#21736 date=1030230693]
Just in case I have downloaded a copy, password protected it and sent it to 6 different av vendors, I feel, although they may be aware, I have done the right thing.
" }-

That's the spirit! ;) Nevertheless: please be careful when visiting sites like these. In general I wouldn't recommend anyone visiting these and downloading stuff. ::)

regards.

paul

Dont worry Paul, I'm well aware of what I'm doing, its how I've built up my test collections,(as well as dissection and decompiling) But thanks for your concern and a valid point it is too.
;)

-{ Quote: "Dont worry Paul, I'm well aware of what I'm doing" }-

Fingers crossed! ;)

regards.

paul

I must be a lucky man,in all my years of pc use I have only ever had 4 virus alerts, all stopped and none infected. I'm very careful, always practice Safe Hex http://www.claymania.com/safe-hex.html and so far so good,I must be doing something right! ;)

Yep, Clay does run a very nice site indeed!

-{ Quote: "and so far so good,I must be doing something right!" }-

I'm sure you are. Nevertheless, from our 250+ MB databases there are several that could cause severe trouble ::)

regards.

paul

Then you keep them locked up tight Paul ;) :D

YAB is not a beast and it is easy to clean.

;)


http://www.dslreports.com/forum/remark,3895801~root=security,1~mode=flat (http://www.dslreports.com/forum/remark,3895801~root=security,1~mode=flat)

no yab is a binder i think mainly to coat a trojan ect i belive.

correct me if im wrong but arnt binders in evill doers hands meant to coat such nastys so there undetected=/

still when yopu got guys like galvin and people at wilder for help its perty much a great relief=)

A binder does NOT a trojan make LOL

All a binder does is bind one program to another , could be a trojan or not. The binding program itself is not a problem
There is other binders out there Many of them
Generically find any binder, then give a popup warning of it's existence, then you either delete or not, your choice...

-{ Quote: "All a binder does is bind one program to another , could be a trojan or not. The binding program itself is not a problem" }-

True in essence. And there are lots of binders around.

That said, binded executables are known to cause problems for AVs.

regards.

paul

Is this the same YAB ?

12.08.2002
14th addon for DrWeb 4.28
Added 102 viruses to the DrWeb database. BAT.Generic.56,BackDoor.AnFTP.1(3),BackDoor.AntiLame.14(1-3), BackDoor.Fear.15, BackDoor.Glitch.10(1,2),BackDoor.BSSpy.109, BackDoor.Generic.69,70,71,72,73,74, BackDoor.Assassin.11 (1-4), BackDoor.Hunter.12(1-4), Trojan.PWS.AntiLame.10(3), BackDoor.Pigeon.3, BackDoor.Y3krat.1(1-3), HLLP.Birys.6773, Trojan.Aicore(1,2), Trojan.Aphex, Trojan.Gunsan.786, Trojan.Jason.10(1-3), Trojan.MulDrop.93,94,95, Trojan.KnetStat.32768, Trojan.Kcom(1-3),Trojan.KillProc.1536,W97M.WisMine(1,2), Trojan.Lameweb.1(1,2), Trojan.Mardam,Trojan.PWS.Platan(16),Win32.Radix.4100(2), Trojan.PWS.Zimenok.3(3-6),Trojan.Phrostic.102(1,2), :o******Trojan.YAB.201****** :o,W97M.Bobo(3), VBS.Generic.71,72,73,74,75,76,77,78,VBS.Redlof(2),W97M.Doctor,W97M.Minimal(25), W97M.Soob(1,2),W97M.Stamp,Win2K.Team.4096(2),Win32.HLLM.Bihup,Win32.HLLM.Higuy, Win32.HLLM.Buxtehude (1,2), Win32.HLLM.Frethem.17, Win32.HLLM.Generic.68, 69, Win32.HLLM.Glitch.62464, Win32.HLLM.Gunsan.1, 2, Win32.HLLO.Fixing.16384 (2), Win32.HLLM.Kitro.3,4, Win32.HLLM.Mi2(6), Win32.HLLW.Spreader, XM.Laroux(16-20).

I've tested with DrWeb,fully updated,medium and deep heuristics and it fails to see it,at least the copy I have.

ekkkkkkkkkkkk so the binder does work on avs thank god i got tds