W32/Yaha-D

Discussion in 'malware problems & news' started by FanJ, Jun 5, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Yaha-D
    Type: Win32 worm
    Date: 5 June 2002

    Sophos has received several reports of this worm from the wild.

    Description:

    W32/Yaha-D is a Win32 worm which spreads via email. The worm has
    its own SMTP client software and either uses an SMTP server
    found by examining the Windows registry or one from a list
    contained within the worm itself. The email sent by the worm is
    highly variable. The subject line is made up of a combination of
    words and phrases from the following list:

    searching for true Love
    you care ur friend
    Who is ur Best Friend
    make ur friend happy
    True Love
    Dont wait for long time
    Free Screen saver
    Friendship Screen saver
    Looking for Friendship
    Need a friend?
    Find a good friend
    Best Friends
    I am For u
    Life for enjoyment
    Nothink to worryy
    Ur My Best Friend
    Say 'I Like You' To ur friend
    Easy Way to revel ur love
    Wowwwwwwwwwww check it
    Send This to everybody u like
    Enjoy Romantic life
    Let's Dance and forget pains
    war Againest Loneliness
    How sweet this Screen saver
    Let's Laugh
    One Way to Love
    Learn How To Love
    Are you looking for Love
    love speaks from the heart
    Enjoy friendship
    Shake it baby
    Shake ur friends
    One Hackers Love
    Origin of Friendship
    The world of lovers
    The world of Friendship
    Check ur friends Circle
    Friendship
    how are you
    U r the person?
    Hi
    U realy Want this
    Romantic
    humour
    New
    Wonderfool
    excite
    Cool
    charming
    Idiot
    Nice
    Bullsh*t
    One
    Funny
    Great
    LoveGangs
    Shaking
    powful
    Joke
    Interesting
    Interesting
    Screensaver
    Friendship
    Love
    relations
    stuff
    to ur friends
    to ur lovers
    for you
    to see
    to check
    to watch
    to enjoy
    to share

    The message text is similar to:

    "Hi Dear
    Check the attach
    See u

    .
    .

    Check the attachment too.."

    or

    "Hi Dear
    Check the Attachement ..
    See u

    ----- Original Message -----
    From: "Friendship" < deleted by FanJ >
    To: < sender's address >
    Sent: Friday, May 11, 2002 8:38 PM
    Subject: The world of Friendship :)

    This e-mail is never sent unsolicited. If you need to
    unsubscribe,
    follow the instructions at the bottom of the message.
    ***********************************************************

    Enjoy this friendship Screen Saver and Check ur friends
    circle...

    Send this screensaver from <deleted by FanJ> to everyone you
    consider a FRIEND, even if it means sending it back to the
    person
    who sent it to you. If it comes back to you, then you'll know
    you
    have a circle of friends.

    * To remove yourself from this mailing list, point your browser
    to:
    <deleted by FanJ>
    * Enter your email address < sender's address > in the field
    provided and click
    "Unsubscribe".

    OR...

    * Reply to this message with the word "REMOVE" in the subject
    line.

    This message was sent to address <sender's address>
    X-PMG-Recipient: <sender's address>
    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
    <<<>>> "

    The attachment filename is made up of three parts - a name and
    two extensions. The name is chosen from:

    screensaver
    screensaver4u
    screensaver4u
    screensaverforu
    freescreensaver
    love
    lovers
    lovescr
    loverscreensaver
    loversgang
    loveshore
    love4u
    lovers
    enjoylove
    sharelove
    shareit
    checkfriends
    urfriend
    friendscircle
    friendship
    friends
    friendscr
    friends
    friends4u
    friendship4u
    friendshipbird
    friendshipforu
    friendsworld
    werfriends
    passion
    bullsh*tscr
    shakeit
    shakescr
    shakinglove
    shakingfriendship
    passionup
    rishtha
    greetings
    lovegreetings
    friendsgreetings
    friendsearch
    lovefinder
    truefriends
    truelovers
    f*cker

    The first extension is chosen from:

    DOC
    MP3
    XLS
    WAV
    TXT
    JPG
    GIF
    DAT
    BMP
    HTM
    MPG
    MDB
    ZIP

    and the second extension is chosen from:

    PIF
    BAT
    SCR

    W32/Yaha-D also creates a copy of itself with a random name in
    the Recycle folder. It then adds the name of this copy to the
    following registry entry to ensure that the worm is run each
    time a program with an EXE extension is run:

    HKCR\exefile\shell\open\command\default

    The worm will attempt to disable security software by
    terminating any of the following processes:

    ZONEALARM
    AVP32
    LOCKDOWN2000
    AVP.EXE
    CFINET32
    CFINET
    ICMON
    SAFEWEB
    WEBSCANX
    ANTIVIR
    MCAFEE
    NORTON
    NVC95
    FP-WIN
    IOMON98
    PCCWIN98
    F-PROT95
    F-STOPW
    PVIEW95
    NAVWNT
    NAVRUNR
    NAVLU32
    NAVAPSVC
    NISUM
    SYMPROXYSVC
    RESCUE32
    NISSERV
    ATRACK
    IAMAPP
    LUCOMSERVER
    LUALL
    NMAIN
    NAVW32
    NAVAPW32
    VSSTAT
    VSHWIN32
    AVSYNMGR
    AVCONSOL
    WEBTRAP
    POP3TRAP
    PCCMAIN
    PCCIOMON

    When the worm is first run it will imitate a screen saver by
    repeatedly displaying the following messages on the screen in
    various colours:

    "U r so cute today #!#!"
    "True Love never ends"
    "I like U very much!!!"
    "U r My Best Friend"


    Read the analysis at
    http://www.sophos.com/virusinfo/analyses/w32yahad.html
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hmm thanks FanJ, as many of us get already lots of spam with such frusty subjects, and either filter or delete manually, good to be extra alert.
    Grgrgr the trick to be removed from their database and with that infect yourself! So it's not wise to have autoresponders send "bounces" maybe?
     
Thread Status:
Not open for further replies.