New Worm/Trojan (destructive)

[Gavin - DiamondCS]

Just a quick warning about a new worm, another one that looks targeted at Andreas Haak like the Ants worm was..

As of tonight's database update this will be detected by TDS-3 as Worm.YAW 2.0. The new worm looks from initial analysis as though it arrives as a newsletter from the hosting page of YAW - Yet Another Warner. It is supposedly YAW 2.0, the current available download is 1.0. YAW is a tool to detect dialler software.

The worm arrives attached as yawsetup.exe, 437,760 bytes with a standard setup executable icon. If executed it will backup your notepad.exe (to notedpad.exe) and copy itself as that file. It will copy itself to the RunOnce key in the registry as a random key name as well, with a random (matching) filename. Unsure if this is needed, as the worm has a very destructive payload, deleting as many folders and files as it can from your C drive, other drives appeared unaffected. This occurred in a short time in the first test run, so it most likely is very quickly taking its destructive action. It may not take this action for some time depending on conditions, this has not yet been established. Upon rebooting the drive had an invalid FAT.

It does save 2 files in the Windows folder for spreading, with an 'open' SMTP server list saved as KerneI.das and a list of gathered email addresses as KerneI.daa.

[wizard]

The worm is now ITW in Germany and Austria.

wizard

[wizard]

Quote:

I-Worm.Yarner
ддддддддддддд
This is the worm virus spreading via the Internet being attached to infected
emails. The worm itself is a Windows PE EXE file about 434Kb of length,
written in Delphi.

The infected messages have original sender's email address or fake sender
address in "from" field. The fake address looks like follows:

From: Trojaner-Info [webmaster@trojaner-info.de]

Other data in messages look like follows:

Attach: * yawsetup.exe
Subject: *Trojaner-Info Newsletter %CurrentDate%
Body: * *

*Hallo !

*Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de.
*Hier die Themen im Ueberblick:

*1. YAW 2.0 - Unser Dialerwarner in neuer Version

*************************************

*1. YAW 2.0 - Unser Dialerwarner in neuer Version
*Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist
*nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere
*Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter.
*Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen
*steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak
*unter andreas@ants-online.de zur VerfЭgung. Viel Spaъ mit YAW!

*<http://www.trojaner-info.de/dialer/yaw.shtml>

*************************************

*Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir
*bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine
*angenehme Woche.

*Mit freundlichem Gruss

*Thomas Tietz & Andreas Ebert
*<http://www.trojaner-info.de>

*************************************
*Anzahl der Subscriber: 5.966
*Durchschnittliche Besuchzahl/Tag: 4.488
*Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer
*Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber
*abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du
*diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine
*entsprechende E-Mail.
*************************************



The worm activates from infected email only in case a user clicks on attached
file. The worm then installs itself to the system, runs spreading routine and
payload.


Installing
----------
While installing the worm copies itself to Windows directory with
up to 100 symbols random .EXE name and registers that file in system registry
auto-run key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
*%RandomText% = %WormName%

where %WormName% is worm copy name, and %RandomText% is another up to 100
symbols random string, for example:

ddfUdEDshaSEYadkWBUdFrnKlFWReyHQpTWCqMkkTRhHoIqHMZugxnPTXF.exe


The worm then renames NOTEPAD.EXE file in Windows directory with NOTEDPAD.EXE
and replaces original NOTEPAD.EXE with its copy. Thus, the worm creates its
additional copy and will start again when a text file is being opened with
Notepad.

The worm also creates two additional files in Windows directory with following
names:

kerneI32.daa
kerneI32.das


Spreading
---------
To send infected messages the worm uses direct connection to default SMTP
server.

The worm gets victim email addresses by two different ways. First it gets
access to MS Outlook address book and gets all email addresses from there.
Next the worm scans all .PHP, .HTM, .SHTM, .CGI, .PL files in all
subdirectories in Windows directory and gets all emails from there.

Payload
-------
After successful sent infected email the worm in one case of ten deletes all
files on drive where Windows is installed.


Removal and detection for this worm is already added to Kaspersky Antivirus
updates.

wizard

[Old_Sixteen]

Here are more AV sites with info........

"Subject of email: Trojaner-Info Newsletter
Body: Text in German
Name of attachment: yawsetup.exe"

LINKS:

http://www.symantec.com/avcenter/venc/data/w32.yarner.a@mm.html
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_YARNER.B
http://vil.nai.com/vil/content/v_99365.htm
http://www.sophos.com/virusinfo/analyses/w32yarner.html
http://www.f-secure.com/v-descs/yarner.shtml

>As of tonight's database update this will be detected
>by TDS-3 as Worm.YAW 2.0.

Are you sure? I updated TDS-3 just 3 minutes above and tds didn't detect any of the 7 YAW 2.0 variants. I sent the 7 samples to you :o).

Adieu, Andreas