New Worm/Trojan (destructive)

[Gavin - DiamondCS]

Just a quick warning about a new worm, another one that looks targeted at Andreas Haak like the Ants worm was..

As of tonight's database update this will be detected by TDS-3 as Worm.YAW 2.0. The new worm looks from initial analysis as though it arrives as a newsletter from the hosting page of YAW - Yet Another Warner. It is supposedly YAW 2.0, the current available download is 1.0. YAW is a tool to detect dialler software.

The worm arrives attached as yawsetup.exe, 437,760 bytes with a standard setup executable icon. If executed it will backup your notepad.exe (to notedpad.exe) and copy itself as that file. It will copy itself to the RunOnce key in the registry as a random key name as well, with a random (matching) filename. Unsure if this is needed, as the worm has a very destructive payload, deleting as many folders and files as it can from your C drive, other drives appeared unaffected. This occurred in a short time in the first test run, so it most likely is very quickly taking its destructive action. It may not take this action for some time depending on conditions, this has not yet been established. Upon rebooting the drive had an invalid FAT.

It does save 2 files in the Windows folder for spreading, with an 'open' SMTP server list saved as KerneI.das and a list of gathered email addresses as KerneI.daa.

[Paul Wilders]

Currently, seven variants are known. Two are really common (MD5 sums):

0c32628e76d9e716a4efab028022364c 1.ex$
054d80acac8bd69f322b2dcea357ef2d 2.ex$

Here the MD5 sums of the other variants:

2336aac901724a107d2725c4e6caeacd 3.ex$
a533f828347b2eca6d8784ef593b388d 4.ex$
3fb44cf79640c1112eee98a86bb15abf 5.ex$
860d6a82e2fbf887038f6e2b0cde3651 6.ex$
8ee1fbdb4eba48dda7d35b0adca8d83a 7.ex$

regards.

paul