W32/Yaha-B

Discussion in 'malware problems & news' started by FanJ, Apr 3, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Yaha-B
    Type: Win32 worm
    Date: 3 April 2002

    At the time of writing Sophos has received just one report of
    this worm from the wild.

    Description:

    W32/Yaha-B is a Win32 worm which makes two copies of itself in
    C:\Recycled. The first copy has a name made up of five randomly
    generated characters and an EXE extension; the second has the
    same name with an extra "f" on the end.

    The worm then sets the following registry value so that the worm
    is run first whenever an EXE file is executed:

    HKCR\exefile\shell\open\command\(default) = "C:\Recycled\.exe %1
    %*"

    When the worm is executed it will start a screensaver that will
    manipulate the Desktop display. The user can exit this screen
    saver in the usual manner.

    W32/Yaha-B sends itself as an attachment to emails with the
    following characteristics:


    Subject line:
    Enjoy this friendship-joke Screen Saver!!!!
    or
    Fw : Enjoy this friendship-joke Screen Saver!!!!
    or  
    Have a nice day!!!!


    Message body:
    This email is never sent unsolicited. If you need to unsubscribe,
    follow the instructions at the bottom of the message. Enjoy this
    friendship-joke Screen Saver and Check ur friends circle... Send
    this screensaver from xww.friendship.com to everyone you consider
    a FRIEND, even if it means sending it back to the person who sent
    it to you. If it comes back to you, then you'll know you have a
    cirle of friends.

    *To remove yourself from this mailing list, point your browser
    to: xxxx:x/xfriendship.x/remove?freescreensaver *Enter your email
    address () in the field provided and click "Unsubscribe". OR...
    *Reply to this message with the word "REMOVE" in the subject
    line. This message was sent to address X-PMG-Recipient:


    Attached file:
    Friends.scr


    The emails are sent to addresses from the Windows Address Book
    (WAB) and to addresses found in *.HT* files.

    This worm will also attempt to send SMS messages to
    <number>@xbplmobile.com and <number>@xescotelmobile.com, where
    <number> is randomly generated apart from an initial five digit
    code.

    The Internet Explorer start up page will be changed to one of
    the following seven addresses: xww.malayalmanorama.com,
    xww.asianetglobal.com, xww.kerala.com, xww.india.com,
    xww.malayalamchannel.com, xww.sunnt.com/suryatv, xww.achayans.com.

    A plain text file with the same randomly generated name as the
    copy of the worm in C:\Recycled will be dropped in the Windows
    directory.


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32yahab.html

    Note by FanJ:
    I have changed the links a little bit to prevent that a reader might click on it.
     
Thread Status:
Not open for further replies.