New Worm/Trojan (destructive)

Discussion in 'malware problems & news' started by Gavin - DiamondCS, Feb 19, 2002.

Thread Status:
Not open for further replies.
  1. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just a quick warning about a new worm, another one that looks targeted at Andreas Haak like the Ants worm was..

    As of tonight's database update this will be detected by TDS-3 as Worm.YAW 2.0. The new worm looks from initial analysis as though it arrives as a newsletter from the hosting page of YAW - Yet Another Warner. It is supposedly YAW 2.0, the current available download is 1.0. YAW is a tool to detect dialler software.

    The worm arrives attached as yawsetup.exe, 437,760 bytes with a standard setup executable icon. If executed it will backup your notepad.exe (to notedpad.exe) and copy itself as that file. It will copy itself to the RunOnce key in the registry as a random key name as well, with a random (matching) filename. Unsure if this is needed, as the worm has a very destructive payload, deleting as many folders and files as it can from your C drive, other drives appeared unaffected. This occurred in a short time in the first test run, so it most likely is very quickly taking its destructive action. It may not take this action for some time depending on conditions, this has not yet been established. Upon rebooting the drive had an invalid FAT.

    It does save 2 files in the Windows folder for spreading, with an 'open' SMTP server list saved as KerneI.das and a list of gathered email addresses as KerneI.daa.
     
  2. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    The worm is now ITW in Germany and Austria.

    wizard
     
  3. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    wizard
     
  4. Old_Sixteen

    Old_Sixteen Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    17
    Re:More on W32.YARNER.A@MM

    Here are more AV sites with info........

    "Subject of email: Trojaner-Info Newsletter
    Body: Text in German
    Name of attachment: yawsetup.exe"

    LINKS:

    http://www.symantec.com/avcenter/venc/data/w32.yarner.a@mm.html
    http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_YARNER.B
    http://vil.nai.com/vil/content/v_99365.htm
    http://www.sophos.com/virusinfo/analyses/w32yarner.html
    http://www.f-secure.com/v-descs/yarner.shtml
     
  5. DrSeltsam

    DrSeltsam Guest

    >As of tonight's database update this will be detected
    >by TDS-3 as Worm.YAW 2.0.

    Are you sure? I updated TDS-3 just 3 minutes above and tds didn't detect any of the 7 YAW 2.0 variants. I sent the 7 samples to you :eek:).

    Adieu, Andreas
     
Loading...
Thread Status:
Not open for further replies.