New Worm/Trojan (destructive)

Discussion in 'malware problems & news' started by Gavin - DiamondCS, Feb 19, 2002.

Thread Status:
Not open for further replies.
  1. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    Just a quick warning about a new worm, another one that looks targeted at Andreas Haak like the Ants worm was..

    As of tonight's database update this will be detected by TDS-3 as Worm.YAW 2.0. The new worm looks from initial analysis as though it arrives as a newsletter from the hosting page of YAW - Yet Another Warner. It is supposedly YAW 2.0, the current available download is 1.0. YAW is a tool to detect dialler software.

    The worm arrives attached as yawsetup.exe, 437,760 bytes with a standard setup executable icon. If executed it will backup your notepad.exe (to notedpad.exe) and copy itself as that file. It will copy itself to the RunOnce key in the registry as a random key name as well, with a random (matching) filename. Unsure if this is needed, as the worm has a very destructive payload, deleting as many folders and files as it can from your C drive, other drives appeared unaffected. This occurred in a short time in the first test run, so it most likely is very quickly taking its destructive action. It may not take this action for some time depending on conditions, this has not yet been established. Upon rebooting the drive had an invalid FAT.

    It does save 2 files in the Windows folder for spreading, with an 'open' SMTP server list saved as KerneI.das and a list of gathered email addresses as KerneI.daa.
  2. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Currently, seven variants are known. Two are really common (MD5 sums):

    0c32628e76d9e716a4efab028022364c 1.ex$
    054d80acac8bd69f322b2dcea357ef2d 2.ex$

    Here the MD5 sums of the other variants:

    2336aac901724a107d2725c4e6caeacd 3.ex$
    a533f828347b2eca6d8784ef593b388d 4.ex$
    3fb44cf79640c1112eee98a86bb15abf 5.ex$
    860d6a82e2fbf887038f6e2b0cde3651 6.ex$
    8ee1fbdb4eba48dda7d35b0adca8d83a 7.ex$


Thread Status:
Not open for further replies.