W32/Yaha-E Worm

Discussion in 'malware problems & news' started by Paul Wilders, Jun 20, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Name: W32/Yaha-E
    Type: Win32 worm
    Date: 20 June 2002

    Sophos has received several reports of this worm from the wild.

    Description:

    W32/Yaha-E is a worm which spreads via email. The worm has its own SMTP client software and uses either an SMTP server found by examining the Windows registry or one from a list contained within the worm itself.

    The email sent by the worm is highly variable. The subject line of the email is created using a combination of words and phrases from the following list:

    searching for true Love
    you care ur friend
    Who is ur Best Friend
    make ur friend happy
    True Love
    Dont wait for long time
    Free Screen saver
    Friendship Screen saver
    Looking for Friendship
    Need a friend?
    Find a good friend
    Best Friends
    I am For u
    Life for enjoyment
    Nothink to worryy
    Ur My Best Friend
    Say 'I Like You' To ur friend
    Easy Way to revel ur love
    Wowwwwwwwwwww check it
    Send This to everybody u like
    Enjoy Romantic life
    Let's Dance and forget pains
    war Againest Loneliness
    How sweet this Screen saver
    Let's Laugh
    One Way to Love
    Learn How To Love
    Are you looking for Love
    love speaks from the heart
    Enjoy friendship
    Shake it baby
    Shake ur friends
    One Hackers Love
    Origin of Friendship
    The world of lovers
    The world of Friendship
    Check ur friends Circle
    Friendship
    how are you
    U r the person?
    Hi
    U realy Want this
    Romantic
    humour
    New
    Wonderfool
    excite
    Cool
    charming
    Idiot
    Nice
    Bullsh*t
    One
    Funny
    Great
    LoveGangs
    Shaking
    powful
    Joke
    Interesting
    Interesting
    Screensaver
    Friendship
    Love
    relations
    stuff
    to ur friends
    to ur lovers
    for you
    to see
    to check
    to watch
    to enjoy
    to share

    The message text begins:

    "Hi
    Check the Attachment ..
    See u"

    or

    "Attached one Gift for u.."

    or

    "wOW CHECK THIS"

    The remainder of the message will resemble a forwarded email.
    The From and Subject fields of the forwarded message are also variable but the message will always contain the text:

    "This e-mail is never sent unsolicited. If you need to
    unsubscribe, follow the instructions at the bottom of the message.
    ***********************************************

    Enjoy this friendship Screen Saver and Check ur friends
    circle...

    Send this screensaver from <web address> to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends.

    * To remove yourself from this mailing list, point your browser to:
    <web address>
    * Enter your email address (<sender's address>) in the field
    provided and click "Unsubscribe".

    OR...

    * Reply to this message with the word "REMOVE" in the subject line.

    This message was sent to address <sender's address>
    X-PMG-Recipient: <sender's address>
    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
    <<<>>>"

    The attachment filename is made up of three parts- a name and two extensions.

    The name is chosen from:

    screensaver
    screensaver4u
    screensaver4u
    screensaverforu
    freescreensaver
    love
    lovers
    lovescr
    loverscreensaver
    loversgang
    loveshore
    love4u
    lovers
    enjoylove
    sharelove
    shareit
    checkfriends
    urfriend
    friendscircle
    friendship
    friends
    friendscr
    friends
    friends4u
    friendship4u
    friendshipbird
    friendshipforu
    friendsworld
    werfriends
    passion
    bullsh*tscr
    shakeit
    shakescr
    shakinglove
    shakingfriendship
    passionup
    rishtha
    greetings
    lovegreetings
    friendsgreetings
    friendsearch
    lovefinder
    truefriends
    truelovers
    f*cker
    loveletter
    resume
    biodata
    dailyreport
    mountan
    goldfish
    weeklyreport
    report
    love

    The first extension is chosen from:

    doc
    mp3
    xls
    wav
    txt
    jpg
    gif
    dat
    bmp
    htm
    mpg
    mdb
    zip

    The second extension is chosen from:

    pif
    bat
    scr

    The worm also creates a copy of itself in the Recycle folder
    with a name comprised of four random lower case characters. The path to this copy is then added to the following registry entry to ensure that the worm is run each time a program with an EXE extension is run:

    HKLM\exefile\shell\open\command\default

    Two files are created in the Windows folder. One has a DLL
    extension and an eight character name created from the same four characters used for the copy of the worm. This file contains a list of email addresses found on the infected computer. The second file has the same name as the copy of the worm and a TXT extension. This is a simple text file containing the text "iNDian sNakes pResents yAha.E".

    The worm will attempt to disable security software by
    terminating any of the following processes:

    SCAM32
    SIRC32
    ZONEALARM
    LOCKDOWN2000
    AVP.EXE
    CFINET32
    CFINET
    SAFEWEB
    WEBSCANX
    ANTIVIR
    MCAFEE
    NORTON
    FP-WIN
    IOMON98
    PCCWIN98
    F-PROT95
    F-STOPW
    PVIEW95
    NAVWNT
    NAVRUNR
    NAVLU32
    NAVAPSVC
    SYMPROXYSVC
    RESCUE32
    NISSERV
    ATRACK
    IAMAPP
    LUCOMSERV
    NAVW32
    NAVAPW32
    VSSTAT
    VSHWIN32
    AVSYNMGR
    AVCONSOL
    WEBTRAP
    POP3TRAP
    PCCMAIN
    PCCIOMON

    When the worm is first run it will imitate a screen saver by
    repeatedly displaying the following messages on the screen in various colours:

    U r so cute today "!"!
    True Love never ends
    I like U very much!!!
    U r My Best Friend

    A copy of the attachment in base64 encoded format is created in the folder C:\Windows\Temp with the filename kitkat.

    Read the analysis at
    www.sophos.com/virusinfo/analyses/w32yahae.html
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
  3. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Sounds like this guy made a career out of this worm lol. Very feature rich!

    I didn't see NOD32, TDS3, Wormguard or KERIO/TINY on the list. I guess the author will have to go back to the drawing board before he can play with the big boys.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Just this morning in the news saw one of the dutch ISPs (www.zeelandnet.nl) closes their outgoing emails because of this infection. People can get their account unlocked after kind of "all cleaned" certificate, which people can get via the scanning with the av product they affiliated with, RAV
    (i must admit i never heard from them before) ( http://www.ravantivirus.com/ )
    Anyway, their online scan told me they could not function as i would not have administrative rights on my pc (! on a win98 system?? with me logged in as user myself?), they could not load activeX components (!! they had downloaded with my permission some tool, and after that message i even put them in my trusted zone and for a few moments even lowered all possible security which i put all back on high after and deleting them from my trusted zone of course!). So i don't know if i ever should give their products any try at all whenever in future with such bad detections on systems!

    Speaking about good money, think this ISP is trying to make good money from the Yaha which is hardly a real problem this moment, as the detection is added to all main av/at software.
    Strangely enough they didn't give a kick with Klez, which i think is far more a problem.......
     
  5. FanJ

    FanJ Guest

  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks Jan, read there the Yaha is more in the Netherlands then anywhere else. Are we dutch all that stupid or just curious to open any email, or don't we update, not patch, asnd are just ignorant? Saw in one of the comments a girl thinking av is getting a thing to have by now (!!!); i would say persons without scanners should not be allowed on internet at all!

    Anyway, in the meantime the RAV hurried withy their tech repair and i am trying for the third time now to have my online scan; crashed several times, but unsure if that was again IE 6.0 crashing (it does frequently) so there is doubt, till now each time took many hours per drive, and still not finished so could start all over after each crash;
    most nasties in my test zoo are found, some more alarms i like to look at outside that, but even i can't make up what and where with incomplete path and file names, with more the nasties name.... and i make up in one of the email folders is an iframe-exploit found, but if they please are so kind to mention which email in which folder, would be reallhy helpful.
    OK, many people might just say "delete" but that could mean here the whole email folder is deleted? And i saw warnings for yaha among others, you should first repair the registry keys and after delete yaha and not in other ways to prevent system damage.......
    Such things should be part of a repair tool and a good readme instruction going with that!

    Still i don't know about RAV (real anti virus? ) till today never heard of it, did you?
    It finds yaha/Lentin in zipped, zipped and attached to emails which are attached to another email and zipped again, unzipped versions etc.
     
  7. FanJ

    FanJ Guest

  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    @Home in the netherlands has followed zeeland.net's and XS4all's example in cutting of customers that are infected and keep spreading viruses. They promise to reconnect the victims within a day after they cleaned up their computer without prescribing how that has to be done.
    My guess is more will follow.

    Regards,

    Pieter
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    xs4all.nl (a Dutch ISP) is one of the few ones, providing their clients with free security software. Unfortunately, they did choose McAfee as an anti-virus. We pointed the mediocre quality out several times to them. That being said, nothing will help in case a client will not update databases frequently..

    regards,

    paul
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Then there is one solution: people willing or not, at connecting to internet the free av/at software is auto-updated and full system scan started.
    Forcing beta testers to keep their test files on diskettes/cdw

    Anyway this is better (the free supplying) then forcing people to get the €36/year software like zeelandnet seems to do, as one might have or prefer other scanners.

    Anybody can have been off line for a while and collecting emails, updating av/at and get infected in the meantime, to name an example.

    I would prefer to warn the user and give them time (and instructions) to disinfect XX hours before closing their account. And how will the ISP know they are really clean?
    Only from the produced traffic? Hmm.

    OK, it comes all more or less close to a clean internet obligation, so one could also ask of the ISPs to use strong(er) filters.
    Quite a discussion for legality etc.
     
  11. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Wow, I have never recieved a virus in email other than those "joke" ones before today... I checked my email and there was 2 emails fromt he same address (nothing I recognize) both with this virus attached. Anyway AVG (I think, had the bug picture, don't think Avast does that) caught them and permanently deleted them nicely enough.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I subscribed on many newsgroups --not for infections collection but because the subjects interested me originally--; think those are really nice sources for infection collectors. Most of the groups i send my educative autoresponder after hoaxes and infections are remarkable much cleaner then before and i did not even advice all of them to get my most beloved software (TDS/ WG although it is in my autoresponder text) and i did not intrude their systems to collect the nasties myself unfortunately, although in most cases they came nicely with the postings for my test-zoo.
    So one collects even from infections with only 2 or 3 known variants at least 4 or 5 new varieties which i always forward to the TDS lab for their databases.
    Today i got another yaha from really unknown source, i searched all my addressbooks, caches, send folder, emails and HTML /DOC/TXT files anywhere on my computer, but this email address was really new to me. It was a fake bounced message (which can be part of yaha) and only one, so i keep watching them.
    One possibility could be an infected reply on a bounce email and delete original from my spam protection.
     
  13. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Of passing interest, it was Avast that caught the yaha before AVG... I know it doesn't really mean anything but I remembered Avast is the one that puts a big picture of a nasty insect up when it finds something.
     
  14. FanJ

    FanJ Guest

  15. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    The kind folks from @home support Netherlands sent every subscriber a message with the subject "Virus detected!" to inform everyone they will be cut off once Yaha is being sent from your account.

    I don't know which moron was responsible for choosing the subject title, but I read on www.troublesathome.nl (not a fan club ;) ) their support department is being swamped by confused callers.

    I never use the @home mail server, because it never worked properly and right now it's not available (but that's nothing new). Although I still enjoy my 300 - 400 Kb cable speed :D

    RAV antivirus is one of the few AV natively supporting Novell GroupWise mail server.
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    a moron indeed. This is without any doubt not the way to deal with this issue.

    Nice - but average :cool:. 600 kb should be possible at least. xs4all.nl does even better than that. Time to switch? ;)

    regards,

    paul
     
  17. FanJ

    FanJ Guest

  18. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Picked up this little tidbit in the news:

    Nice of them to share their enmity with the whole Internet, eh? :rolleyes:
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks Jan,

    Although nothing new is being revealed, Robert has an xs4all ISP account for good reasons! :D

    regards,

    paul
     
Loading...
Thread Status:
Not open for further replies.