W32/Yaha-D

Name: W32/Yaha-D
Type: Win32 worm
Date: 5 June 2002

Sophos has received several reports of this worm from the wild.

Description:

W32/Yaha-D is a Win32 worm which spreads via email. The worm has
its own SMTP client software and either uses an SMTP server
found by examining the Windows registry or one from a list
contained within the worm itself. The email sent by the worm is
highly variable. The subject line is made up of a combination of
words and phrases from the following list:

searching for true Love
you care ur friend
Who is ur Best Friend
make ur friend happy
True Love
Dont wait for long time
Free Screen saver
Friendship Screen saver
Looking for Friendship
Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worryy
Ur My Best Friend
Say 'I Like You' To ur friend
Easy Way to revel ur love
Wowwwwwwwwwww check it
Send This to everybody u like
Enjoy Romantic life
Let's Dance and forget pains
war Againest Loneliness
How sweet this Screen saver
Let's Laugh
One Way to Love
Learn How To Love
Are you looking for Love
love speaks from the heart
Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship
Check ur friends Circle
Friendship
how are you
U r the person?
Hi
U realy Want this
Romantic
humour
New
Wonderfool
excite
Cool
charming
Idiot
Nice
Bullsh*t
One
Funny
Great
LoveGangs
Shaking
powful
Joke
Interesting
Interesting
Screensaver
Friendship
Love
relations
stuff
to ur friends
to ur lovers
for you
to see
to check
to watch
to enjoy
to share

The message text is similar to:

"Hi Dear
Check the attach
See u

.
.

Check the attachment too.."

or

"Hi Dear
Check the Attachement ..
See u

----- Original Message -----
From: "Friendship" < deleted by FanJ >
To: < sender's address >
Sent: Friday, May 11, 2002 8:38 PM
Subject: The world of Friendship :-)

This e-mail is never sent unsolicited. If you need to
unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************

Enjoy this friendship Screen Saver and Check ur friends
circle...

Send this screensaver from <deleted by FanJ> to everyone you
consider a FRIEND, even if it means sending it back to the
person
who sent it to you. If it comes back to you, then you'll know
you
have a circle of friends.

* To remove yourself from this mailing list, point your browser
to:
<deleted by FanJ>
* Enter your email address < sender's address > in the field
provided and click
"Unsubscribe".

OR...

* Reply to this message with the word "REMOVE" in the subject
line.

This message was sent to address <sender's address>
X-PMG-Recipient: <sender's address>
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
<<<>>> "

The attachment filename is made up of three parts - a name and
two extensions. The name is chosen from:

screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullsh*tscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
f*cker

The first extension is chosen from:

DOC
MP3
XLS
WAV
TXT
JPG
GIF
DAT
BMP
HTM
MPG
MDB
ZIP

and the second extension is chosen from:

PIF
BAT
SCR

W32/Yaha-D also creates a copy of itself with a random name in
the Recycle folder. It then adds the name of this copy to the
following registry entry to ensure that the worm is run each
time a program with an EXE extension is run:

HKCR\exefile\shell\open\command\default

The worm will attempt to disable security software by
terminating any of the following processes:

ZONEALARM
AVP32
LOCKDOWN2000
AVP.EXE
CFINET32
CFINET
ICMON
SAFEWEB
WEBSCANX
ANTIVIR
MCAFEE
NORTON
NVC95
FP-WIN
IOMON98
PCCWIN98
F-PROT95
F-STOPW
PVIEW95
NAVWNT
NAVRUNR
NAVLU32
NAVAPSVC
NISUM
SYMPROXYSVC
RESCUE32
NISSERV
ATRACK
IAMAPP
LUCOMSERVER
LUALL
NMAIN
NAVW32
NAVAPW32
VSSTAT
VSHWIN32
AVSYNMGR
AVCONSOL
WEBTRAP
POP3TRAP
PCCMAIN
PCCIOMON

When the worm is first run it will imitate a screen saver by
repeatedly displaying the following messages on the screen in
various colours:

"U r so cute today #!#!"
"True Love never ends"
"I like U very much!!!"
"U r My Best Friend"


Read the analysis at
http://www.sophos.com/virusinfo/analyses/w32yahad.html

[Jooske]

Hmm thanks FanJ, as many of us get already lots of spam with such frusty subjects, and either filter or delete manually, good to be extra alert.
Grgrgr the trick to be removed from their database and with that infect yourself! So it's not wise to have autoresponders send "bounces" maybe?