VBS.Numgame & W32.Yaha@mm

Discussion in 'malware problems & news' started by javacool, Feb 16, 2002.

Thread Status:
Not open for further replies.
  1. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
  2. FanJ

    FanJ Guest

    VBS/Numgame-A

    Name: VBS/Numgame-A
    Aliases: GuessGame
    Type: Visual Basic Script worm
    Date: 18 February 2002

    At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.

    Description:

    VBS/Numgame-A is an email worm. It spreads as an email with the following properties:

    Subject:
    Are you <recipient> my valentine?

    Message Body:
    Hi my valentine, remember me? I ain't seen you in ages! Anyway, check-out and play the attached guess-the-number-game to guess who I am. See you soon, bye-bye!

    Attachment:
    GuessGame.html
    or
    GuessGame.vbe

    When the HTML file is run it will display a message box
    containing the text "Guess Game instructions:" and asking the user to click Yes should an ActiveX dialog box appears.

    Depending on the system configuration, an ActiveX warning dialog may then be displayed.

    If the user clicks Yes to the ActiveX warning, or no warning appears, the worm will create the file GuessGame.vbe in the Windows directory and execute it.

    GuessGame.vbe will first create a copy of itself in the Windows system directory. It will then send an email with the above characteristics to all addresses listed in the user's Outlook Address book.

    It will next attempt to set the date to 04-08-1981. Depending on the system settings this will result in the system date changing to 4th August 1981 or 8th April 1981 or remaining unchanged.

    It will also set the following registry values in order to
    disable the Desktop and the system file checking process.

    HKLM\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\Winlogon\SFCDisable = 0xFFFFFF9D

    HKCU\Software\Microsoft\Windows\
    CurrentVersion\Policies\Explorer\NoDesktop = 1

    After setting the registry entries the the worm will attempt to delete all files from the local and network drives. On each affected drive it will also create a file named autoexec.bat in an attempt to delete files with the following extensions:

    *.SYS
    *.DLL
    *.OCX
    *.CPL
    *.DAT
    *.COM
    *.EXE
    *.CAB
    *.INI
    *.INF
    *.VXD
    *.DRV
    *.DOC
    *.XLS
    *.MDB
    *.PPT
    *.MP3
    *.JPG
    *.TXT
    *.HTM
    *.HTML
    *.HTA
    *.ASP
    *.ASPX

    from the following directories:

    \
    Desktop,
    Program Files,
    My Documents,
    Windows,
    System,
    Temp,
    Windows\SYSTEM32,
    Windows\COMMAND,
    Windows\INF,
    Windows\SYSBCKUP,
    \Documents and Settings,
    \Inetpub

    or their equivalents (e.g. WINNT\system32)

    Lastly the worm will allow the user to play a guessing game to guess a number between 1 and 100.


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/vbsnumgamea.html
     
  3. FanJ

    FanJ Guest

    W32/Yaha-A

    Name: W32/Yaha-A
    Type: Win32 worm
    Date: 20 February 2002

    At the time of writing Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers.

    Description:

    W32/Yaha-A is an internet worm which spreads using its own SMTP engine. The worm arrives in an email message with the following characteristics:

    Subject:
    Melt the Heart of your Valentine with this beautiful Screen saver
    or
    Fw: Melt the Heart of your Valentine with this beautiful Screen saver
    Attachment: valentin.scr

    If the attached program is opened it runs as a screen saver, but also copies itself to C:\recycled with the filenames msmdm.exe and msscra.exe.

    The worm changes the registry key

    HKCR\exefile\shell\open\command

    so that the worm file msmdm.exe is run before any file with the extension EXE.

    W32/Yaha-A uses the Windows address book to find email addresses to send itself to. Email addresses will also be extracted from files with the extension HT*. Addresses found are stored in the files screendback.dll and screend.dll.

    The SMTP server used to send the emails is chosen either from the registry or from the following list inside the worm body:

    <long list of links deleted>


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32yahaa.html
     
Thread Status:
Not open for further replies.