W32.Yaha.K@mm

Discussion in 'malware problems & news' started by Randy_Bell, Dec 25, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - W32.Yaha.K@mm

    I'm confused by the nomenclature, but I think this may be the same worm that Paul posted about (Lentin/Yaha.M):

    W32.Yaha.K@mm is a variant of W32.Yaha.J@mm. It terminates some antivirus and firewall processes. The worm uses its own SMTP engine to email itself to all contacts in the Windows Address Book, the MSN Messenger, the .NET Messenger, the Yahoo Pager, and all files whose extension contains the letter HT. The email message has randomly chosen subject line, message, and attachment name.

    This threat is written in the Microsoft C++ language and is compressed with UPX. The uncompressed size is about 75 KB.

    Also Known As: W32/Yaha.k [McAfee], I-Worm.Lentin.i [KAV], Win32/Yaha.K@mm [GeCAD], W32/Yaha-K [Sophos], Win32.Yaha.K [CA]
    Type: Worm
    Infection Length: 34,304 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux

    technical details

    When W32.Yaha.K@mm runs, it does the following,

    It copies itself as the following files and sets the attribute of the files to hidden.

    • C:\%System%\WinServices.exe.
    • C:\%System%\nav32_loader.exe
    • C:\%System%\tcpsvs32.exe

    NOTE: %System% is a variable. The Trojan locates the Windows system folder and copies itself to that location. By default this is C:\Windows\System (Windows 95/98/Millenium), C:\Winnt\System32 (Windows 2000/NT/), or C:\Windows\System32 (Windows XP).

    It adds a value

    WinServices.exe C:\%System%\WinServices.exe

    to the registry keys

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    so that the worm runs when you start Windows.

    The worm configures itself to run each time that an .exe file; it does so by changing the default value of the registry key

    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
    ommand

    to

    C:\%System%\WinServices.exe"%1 %*

    It may also copy itself to the Windows system folder as one of the following,

    • hotmail_hack.exe
    • friendship.scr
    • world_of_friendship.scr
    • shake.scr
    • Sweet.scr
    • Be_Happy.scr
    • Friend_Finder.exe
    • I_Like_You.scr
    • love.scr
    • dance.scr
    • GC_Messenger.exe
    • True_Love.scr
    • Friend_Happy.scr
    • Best_Friend.scr
    • life.scr
    • colour_of_life.scr
    • friendship_funny.scr
    • funny.scr

    It attempts to terminate antivirus and firewall processes. It inventories the active processes, and if the name of the process contains one of the following, it attempts to terminate the process:

    • REGEDIT
    • ACKWIN32
    • F-AGNT95
    • SWEEP95
    • VET95
    • N32SCANW
    • _AVPM
    • LOCKDOWNADVANCED
    • NSPLUGIN
    • NSCHEDNT
    • NRESQ32
    • NPSSVC
    • NOD32
    • _AVPCC
    • _AVP32
    • NORTON
    • NVC95
    • FP-WIN
    • IOMON98
    • PCCWIN98
    • F-PROT95
    • F-STOPW
    • PVIEW95
    • NAVWNT
    • NAVRUNR
    • NAVLU32
    • NAVAPSVC
    • NISUM
    • SYMPROXYSVC
    • RESCUE32
    • NISSERV
    • VSECOMR
    • VETTRAY
    • TDS2-NT
    • TDS2-98
    • SCAN32
    • PCFWALLICON
    • NSCHED32
    • IAMSERV.EXE
    • FRW.EXE
    • MCAFEE
    • ATRACK
    • IAMAPP
    • LUCOMSERVER
    • LUALL
    • NMAIN
    • NAVW32
    • NAVAPW32
    • VSSTAT
    • VSHWIN32
    • AVSYNMGR
    • AVCONSOL
    • WEBTRAP
    • POP3TRAP
    • PCCMAIN
    • PCCIOMON
    • ESAFE.EXE
    • AVPM.EXE
    • AVPCC.EXE
    • AMON.EXE
    • ALERTSVC
    • ZONEALARM
    • AVP32
    • LOCKDOWN2000
    • AVP.EXE
    • CFINET32
    • CFINET
    • ICMON
    • RMVTRJANSAFEWEB
    • WEBSCANX
    • PVIEW
    • ANTIVIR

    Email routine details

    The worm uses its own SMTP engine to email itself to all contacts in the Windows Address Book, the MSN Messenger, the .NET Messenger, the Yahoo Pager, and all files whose extension contains the letter HT. It attempts to use the infected computer's default SMTP server to send mail. If it cannot find that information, then it uses one of many SMTP server addresses that are hrdcoded into the worm. The email message has the following characteristics:

    Subject: Subject line is one of the following,

    • Are you the BEST
    • Free Win32 API source
    • Learn SQL 4 Free
    • I Love You..
    • Wanna be like a stone ?
    • Are you a Soccer Fan ?
    • Sexy Screensavers 4 U
    • Check it out
    • Sample Playboy
    • Hardcore Screensavers 4 U
    • XXX Screensavers 4 U
    • We want peace
    • Wanna be a HE-MAN
    • Visit us
    • One Virus Writer's Story
    • One Hacker's Love
    • World Tour
    • Whats up
    • Wanna be my sweetheart ??
    • Screensavers from Club Jenna
    • Jenna 4 U
    • Free rAVs Screensavers
    • Feel the fragrance of Love
    • Wanna Hack ??
    • Sample KOF 2002
    • The King of KOF
    • Wanna Brawl ??
    • Wanna Rumble ??
    • Play KOF 2002 4 Free
    • Demo KOF 2002
    • Free Demo Game
    • Wanna be friends ??
    • Need money ??
    • Are you beautiful
    • Who is your Valentine
    • Free Screenavers of Love
    • Free XXX
    • Free Screensavers
    • WWE Screensavers
    • Freak Out
    • Wanna be friends ?
    • Things to note
    • Lovers Corner
    • Patch for Elkern.gen
    • Patch for Klez.H
    • Free Screensavers 4 U
    • Project
    • Sample Screensavers
    • Are you in Love
    • I am in Love
    • I Love You
    • You are so sweet
    • The Hotmail Hack
    • U realy Want this
    • to ur lovers
    • to ur friends
    • Find a good friend
    • Learn How To Love
    • Are you looking for Love
    • Wowwwwwwwwwww check it
    • Check ur friends Circle
    • The world of Friendship
    • Shake it baby
    • How sweet this Screen saver
    • war Againest Loneliness
    • Need a friend?
    • Say 'I Like You' To ur friend
    • love speaks from the heart
    • Let's Dance and forget pains
    • Looking for Friendship
    • True Love
    • make ur friend happy
    • Who is ur Best Friend
    • hey check it yaar
    • Check this ****
    • Hello
    • Hi

    Message: Message can be one of the following,

    • hey,
      did u always dreamnt of hacking ur friends hotmail account..
      finally i got a hotmail hack from the internet that really works..
      ur my best friend thats why sending to u..
      check it..just run it..enter victim's address and u will get the pass.
    • hi,
      check the attached love screensaver
      and feel the fragrance of true love..
    • Hi,
      check the attached screensaver..
      its really wonderfool..
      i got it from freescreensavers.com
    • Hi,
      check ur friends circle using the attached friendship screensaver..
      check the attached screensaver
      and if u like it send it to all those you consider
      to be true friends... if it comes back to you then
      you will know that you have a circle of friends..
    • Hi,
      check the attached screensaver
      and enjoy the world of friendship..
    • Hi,
      are u in a rocking mood...
      check the attached scrennsaver and start shaking..
    • Hi,
      Check the attached screensaver..
    • Hi,
      Are you lonely ??..
      check the attached screensaver and
      forget the pain of loneliness
    • Hi,
      Looking for online pals..
      check the attached friend finder software..
    • Hi,
      sending you a screensaver..
      check it and let me know how it is...
    • Hi,
      Check the attached screensaver
      and feel the fragrance of true love...
    • Hey,
      I just got this wonderfull screensaver from freescreensaver.com..
      Just check it out and let me know how it is..
      I just came across it.. check out..
      =====================================================================
      Are you one of those unfortunate human beings who are desperately
      looking for friends.. but still not getting true friends with whom
      you can share your everything..

      anyway you wont feel down any more cause GC Chat Network has brought
      up a global chat and online match making system using its own GC
      Messenger. Attached is the fully functional free version of GC
      Instant Messenger and Match Making client..
      Just install, register an account with us and find thousands of online
      pals all over the world..
      You can also search for friends by specific country,city,region etc.

      Regards Admin,
      GC Global Chat Network System..
    • Hi,
      So you think you are in love..
      is it true love ? you may think right now that you are in
      true love but it is certainly possible that it is nothing
      but a mere infatuation to you..

      anyway to know yourself better than you have ever known check
      the attached screensaver and feel the fragrance of true love..
    • Hey pal,
      you know friendship is like a business...
      to get something you need to give something..
      though its not that harsh as business but to
      get love and care from your friends you need to give
      love,care and respect to your friends.. right {BR>
      check the attached screensaver and you will learn how to
      make your friends happy..
    • Hi,
      Its quite obvious that in our life we have numerous friends
      but.. BUT Best Friend can only be ONE.. right {BR>so can you decide who is your best friend {BR>i guess not.. cause mostly you will find that your best friend
      wont care about u like somebody else..

      anyway i found one way to find who is my best friend..
      check it..
      just check the attached screensaver.. answer some questions
      in it and also ask your best friend to answer the questions..

      ..then you will know more about him..
    • Hey pal,
      wanna have some fun in life... {BR>feel like life is too boring and monotonous..
      check the attached screensaver and bring colours
      to your black & white life.. :)
    • Hi,
      I just came across this funny screensaver..
      sending it to u.. hope u like it..
      check out and die laughing.. :)
    • <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

      This E-Mail is never sent unsolicited. If you receive this
      E-Mail then it is because you have subscribed to the official
      newsletter at the KOF ONLINE website.

      King Of Fighters is one of the greatest action game ever made.
      Now after the mind boggling sucess of KOF 2001 SNK proudly
      presents to you KOF 2002 with 4 new charecters.
      Even though we need no publicity for our product but this
      time we have decided to give away a fully functional trial
      version of KOF 2002. So check out the attached trial version
      of KOF 2002 and register at our official website to get a free
      copy of KOF2002 original version

      Best Regards,
      Admin,KOF ONLINE..

      <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>
    • Hello,
      I just came across your email ID while searching in the Yahoo profiles.
      Actually I want a true friend 4 life with whom I can share my everything.
      So if you are interested in being my friend 4 life then mail me.

      If you wanna know about me, attached is my profile along with some of my
      pics. You can check and if you like it then do mail me.
      I will be waiting for your mail.

      Best Wishes,
      Your Friend..
    • Hello,
      Looking for some Hardcore mind boggling action ?
      Install the attached browser software and browse
      across millions of paid hardcore sex sites for free.
      Using the software you can safely and easily browse
      across most of the hardcore XXX paid sites across the
      internet for free. Using it you can also clean all
      traces of your web browsing from your computer.

      Note:The attached browser software is made exclusivley
      for demo only. You can use the software for a limited
      time of 35 days after which you have to register it
      at our official website for its furthur use.

      Regards,
      Admin.
    • Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files.
      Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.

      We developed this free immunity tool to defeat the malicious virus.

      You only need to run this tool once,and then Klez will never come into your PC
    • Hello,
      The attached product is send as a part of our official campaign
      for the popularity of our product.
      You have been chosen to try a free fully functional sample of our
      product.If you are satified then you can send it to your friends.
      All you have to do is to install the software and register an account
      with us using the links provided in the software. Then send this software
      to your friends using your account ID and for each person who registers
      with us through your account, we will pay you $1.5.Once your account reaches
      the limit of $50, your payment will be send to your registration address by
      check or draft.
      Please note that the registration process is completely free which means
      by participating in this program you will only gain without loosing anything.

      Best Regards,
      Admin,

      Attachment: Attachment is one of the following,
    • The_Best.scr
    • Codeproject.scr
    • SQL_4_Free.scr
    • I_Love_You.scr
    • Stone.scr
    • Sex.scrSoccer.scr
    • Real.scr
    • Plus6.scr
    • Plus2.scr
    • Playboy.scr
    • Hardcore4Free.scr
    • xxx4Free.scr
    • Screensavers.scr
    • Peace.scr
    • Body_Building.scr
    • Services.scr
    • VXer_The_LoveStory.scr
    • Hacker_The_LoveStory.scr
    • World_Tour.scr
    • up_life.scr
    • Sweetheart.scr
    • Sexy_Jenna.scr
    • Jenna_Jemson.scr
    • zDenka.scr
    • Ravs.scr
    • Free_Love_Screensavers.scr
    • Romeo_Juliet.scr
    • Hacker.scr
    • KOF_Fighting.exe
    • KOF_Sample.exe
    • KOF_Demo.exe
    • KOF_The_Game.exe
    • KOF2002.exe
    • King_of_Figthers.exe
    • KOF.exe
    • My_Sexy_Pic.scr
    • MyProfile.scr
    • Ways_To_Earn_Money.exe
    • Beautifull.scr
    • Valentines_Day.scr
    • zXXX_BROWSER.exe
    • Britney_Sample.scr
    • THEROCK.scr
    • FreakOut.exe
    • MyPic.scr
    • Notes.exe
    • Cupid.scr
    • FixElkern.com
    • FixKlez.com
    • Romantic.scr
    • Project.exe
    • Love.scr
    • friendship_funny.scr
    • Colour_of_life.scr
    • Life.scr
    • Best_friend.scr
    • Friend_happy.scr
    • True_love.scr
    • Gc_messenger_exe
    • Dance.scr
    • I_like_you.scr
    • Friend_finder_exe
    • Be_happy.scr
    • Sweet.scr
    • Shake.scr
    • World_of_friendship.scr
    • Friendship.scr
    • Funny.scr
    • Hotmail_hack_exe.scr

    From: The From field is a fake email address that is constructed from the following,

    • Klein Anderson
    • Codeproject
    • SQL Library
    • me2K
    • Rocking Stone
    • Super Soccer
    • Sexy Screensavers
    • Real Inc.
    • Plus 6
    • Plus 2
    • Playboy Inc.
    • Hardcore Screensavers
    • XXX Screensavers
    • Nomadic Screensavers
    • Keanu Stevenson
    • Nicolas Schwarzeneggar
    • admin@hackersclub.com
    • admin@viruswriters.com
    • admin@hackers.com
    • Paul Owen
    • Benting
    • Veronica Anderson
    • Club Jenna
    • Jenna Jameson
    • Zdenka Podkapova
    • Raveena Pusanova
    • Screensavers of Love
    • Romeo & Juliet
    • Jaucques Antonio Barkinstein
    • Cathy Kindergarten
    • KOF Online
    • Omega Rugal
    • Terry Bogard
    • Iori Yagami
    • Kyo Kusanagi
    • Clark Steel
    • Ralph Jones
    • Jasmine Stevens
    • Ross Anderson
    • John Vandervochich
    • American Beauty
    • Valentine Screensavers
    • Lovers Screensavers
    • zporNstarS
    • britneyspears.org
    • The Rock
    • Noopman
    • Susan
    • Jonathan
    • Cupid
    • McAfee Inc.
    • Norton Antivirus
    • Trend Micro
    • Romantic Screensavers
    • Jericho
    • Love Inc.

    and

    • kl@aminoprojects.com
    • admin@codeproject.com
    • free@sql.library.com
    • me@me2K.com
    • stone@esterplaza.com
    • marketing@suppersoccer.com
    • free@sexyscreensavers.com
    • sales@real.com
    • plus@real.com
    • sales@playboy.com
    • free@hardcorescreensavers.com
    • free@xxxscreensavers.com
    • kkn@k2k.comscreensavers@nomadic.com
    • nics@nomadic.com
    • paul@kqscore.com
    • btq@263.com
    • services@tcsonline.com
    • admin@clubjenna.com
    • jenna@jennajameson.com
    • zdenka@zpornstars.com
    • ravs@go2pussy.com
    • love@lovescreensavers.com
    • DNA_seraph@163.com
    • super@21cn.com
    • cathy@21cn.com
    • admin@kofonline.com
    • zhouyuye@citiz.net
    • lubing@7135.com
    • hamada@seikosangyo.com
    • luoairong@21cn.com
    • valentinescreensavers@t2k.com
    • screensavers@lovers.com
    • admin@zpornstars.com
    • newsletters@britneyspears.org
    • therock@wwe.com
    • ericpan@online.com.pk
    • samsun@online.sh.cn
    • yjworks@online.sh.cn
    • cupid@freescreensavers.com
    • av_patch@mcafee.com
    • av_patch@norton.com
    • av_patch@trendmicro.com
    • romanticscreensavers@love.com
    • caijob@online.sh.cn
    • loverscreensavers@love.com

    If the current system date is March 25 or May 22, the worm displays the following message, and switch the functions of mouse's left button and right button.

    http://home.mindspring.com/~randybell2/YahaK.gif

    If the current system day is Thursday, the worm randomly changes the value date of value name Start Page in the registry key

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to one of the following,

    • http:/ /www.unixhideout.com
    • http:/ /www.hirosh.tk
    • http:/ /www.neworder.box.sk
    • http:/ /www.blacksun.box.sk
    • http:/ /www.coderz.net
    • http:/ /www.hackers.com/html/neohaven.html
    • http:/ /www.ankitfadia.com
    • http:/ /www.hrvg.tk
    • http:/ /www.hackersclub.up.to
    • http:/ /geocities.com/snak33y3s

    If the current system day is Thursday, the worm retrieves current user's Personal folder from the following registry key and delete the folder.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    For example, the default Personal folder is "C:\My Documents" under Windows 98 system.

    If the current system day is Thursday, the worm creates a text file aYeHS.txt into current user's desktop. The attribute of the file is set to hidden archive. The file is 465 bytes in length and contains the following strings,

    ============================================================
    r0xx pReSaNt$ W32.@YerH$.B (all r1ght$ re$erv3d.. ;) )
    w3 aRe tHe gRe@t 1nD1aN$..
    ------------------------------------------------------

    m@iN mIssIoN iS t0 sPreAd tHe nAmE @YerH$
    s00 mUch t0 c0me..
    iNclUdEd DDoS c0mp0neNtS c@usE oF **** p@kI l@meRs

    eXp3ct th3 uNeXp3ctEd

    dEdic@t3d t0 : mY b3$t fRi3nD
    ============================================================

    >> qph@hackermail.com

    removal instructions

    NOTE: If the worm has not run, and your Symantec antivirus product detects W32.Yaha.K@mm either in an email message or when the worm attempts to run, simply delete it.

    If the worm has run, you must do the following:


    • 1. Download updated virus definitions using the Intelligent Updater, but do not install them.
      2. Restart the computer in Safe mode.
      3. Copy the file Regedit.exe to Regedit.com.
      1. Edit the registry and reverse the changes that the worm made.
      2. Restart the computer to normal mode.
      3. Start your Symantec antivirus software. If it does not start or function properly, reinstall it.
      4. Install the Intelligent Updater virus definitions that you downloaded earlier.
      5. Run a full system scan, and delete files that are detected as W32.Yaha.K@mm.

    1. Proceed to the next section, "To edit the registry and reverse the changes that the worm made" only after you have accomplished the previous steps.

    4. To edit the registry and reverse the changes that the worm made:

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.


    • 1. Navigate to and select the following key:

      HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
      ommand

      CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the
      ommand subkey.

      Modify the: [HKEY_LOCAL_MACHINE, Software, Classes, exefile, shell, open, command] subkey that is shown in the following figure:

      http://home.mindspring.com/~randybell2/Yaha.J_2.gif<<=== NOTE: Modify this key.

      2. In the right pane, double-click the (Default) value.
      3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

      NOTES:
      • On Windows 95/98/Millenium and Windows NT systems, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

        ""%1" %*"
      • On Windows 2000/XP systems, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:

        "%1" %*
      • Make sure that you completely delete all value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document, and make sure that you completely remove the current value data.
      4. Navigate in turn to each of the following keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\RunServices

      NOTE: The RunServices key may not exist on all systems.

      5. In the right pane, delete the value

      WinServices.exe C:\%System%\WinServices.exe

      6. Restart the computer
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    This removal tool has proven it´s use in a few cases:

    DIRECT DOWNLOAD LINK
    http://www.bitdefender.com/download/AntiYahaa.exe

    I hope nobody needs it, but todays outbreak makes me fear otherwise.

    Regards,

    Pieter
     
  3. maj

    maj Guest

    Hi, im trying to follow the instructions but i think because of the Yaha virus my system will not allow me to do run regedit could you please help??
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Hi maj,

    Have you tried using the automatic removal tool that Pieter posted a link to? That might get you by that problem.

    Let us know if that handles it.
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi maj,

    If the removal tool won´t work try renaming it to .com and then run it again.
    And Technodrome posted a link for another removal tool here: http://www.wilderssecurity.com/showthread.php?t=5915

    Good luck and let us know,

    Pieter
     
  6. Palival

    Palival Guest

    Don't delete the yaha.K worm files manually. If you delete the files manually, your *.EXE files will not work. I have accidently deleted and thought everything gone. After a lot of search found a tool in Solo Antivirus site. Visit http://www.srnmicro.com/virusinfo/yaha_k.htm for a free download. It worked great for me!! My pc is better now :)
     
  7. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    DrWeb: Win32.HLLM.Yaha.1

    DialogueScience Virus Library - Win32.HLLM.Yaha.1

    Added to Dr.Web virus base
    December 25, 2002 ?., 09:54 MSK - hot add-on to version 4.29
    Aliases:
    Win32/Yaha.K@mm, W32/Yaha.k, I-Worm.Lentin.i, W32/Yaha-K, Win32.Yaha.K, W32/Yaha.M-mm
    Virus type:
    mass-mailing worm
    Affected platforms:
    Windows 95/98/MilleniumNT/2000/XP

    Infection signs:
    • presence of files nav32_loader.exe, tcpsvs32.exe and WinServices.exe in the Windows %System% directory
    • presence of the following entries in the system registry:
      • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinServices\
        WinServices = “%System%\WinServices.exe
      • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
        WinServices = “%System%\WinServices.exe
      • HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
        %System%\nav32_loader.exe””%1”%*
    • spontaneous termination of some anti-virus/security software and firewalls;
    • Message Happy Birthday Dear displayed on March 25 and on May 22;
    • spontaneous change of attributes of all files in My Documents folder to "hidden"
    • presence of a text file named aYerHS.txt with attribute "hidden" to Active Desktop

    Virus description:
    Win32.HLLM.Yaha.1 is a mass-mailing worm written in Visual ?++ programming language. It affects computers under Windows 95/98/Millenium/NT/2000/XP operating systems. The worm is UPX-packed, its size when packed is 34,304 bytes. All viruses of Yaha family are supposed to be created in India.
    The worm propagates via e-mail using its own built-in SMTP engine. It retrieves the SMTP server data of the infected machine in the following registry key:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts (the worm looks through several variants of the user’s accounts available on the infected computer).
    It finds the addresses for its dissemination in Windows Address Book (WAB), Yahoo Messenger and from files with extensions containing "ht" symbols.

    The message sent by the worm looks as follows:

    Sender: contains a false address to conceal the real sender and can be one of the following:


    • kl@aminoprojects.com
      admin@codeproject.com
      free@sql.library.com
      me@me2K.com
      stone@esterplaza.com
      marketing@suppersoccer.com
      free@sexyscreensavers.com
      sales@real.com
      plus@real.com
      sales@playboy.com
      free@hardcorescreensavers.com
      free@xxxscreensavers.com
      kkn@k2k.com
      screensavers@nomadic.com
      nics@nomadic.com
      paul@kqscore.com
      btq@263.com
      services@tcsonline.com
      admin@clubjenna.com
      jenna@jennajameson.com
      zdenka@zpornstars.com
      ravs@go2pussy.com
      love@lovescreensavers.com
      DNA_seraph@163.com
      super@21cn.com
      cathy@21cn.com
      admin@kofonline.com
      zhouyuye@citiz.net
      lubing@7135.com
      hamada@seikosangyo.com
      luoairong@21cn.com
      valentinescreensavers@t2k.com
      screensavers@lovers.com
      admin@zpornstars.com
      newsletters@britneyspears.org
      therock@wwe.com
      ericpan@online.com.pk
      samsun@online.sh.cn
      yjworks@online.sh.cn
      cupid@freescreensavers.com
      av_patch@mcafee.com
      av_patch@norton.com
      av_patch@trendmicro.com
      romanticscreensavers@love.com
      caijob@online.sh.cn
      loverscreensavers@love.com

    The Subject is chosen by the worm from a long list within the worm’s body:


    • Are you the BEST
      Free Win32 API source
      Learn SQL 4 Free
      I Love You..
      Wanna be like a stone ?
      Are you a Soccer Fan ?
      Sexy Screensavers 4 U
      Check it out
      Sample Playboy
      Hardcore Screensavers 4 U
      XXX Screensavers 4 U
      We want peace
      Wanna be a HE-MAN
      Visit us
      One Virus Writer's Story
      One Hacker's Love
      World Tour
      Whats up
      Wanna be my sweetheart ??
      Screensavers from Club Jenna
      Jenna 4 U
      Free rAVs Screensavers
      Feel the fragrance of Love
      Wanna Hack ??
      Sample KOF 2002
      The King of KOF Wanna Brawl ??
      Wanna Rumble ??
      Play KOF 2002 4 Free
      Demo KOF 2002
      Free Demo Game
      Wanna be friends ??
      Need money ??
      Are you beautiful
      Who is your Valentine
      Free Screenavers of Love
      Free XXX
      Free Screensavers
      WWE Screensavers
      Freak Out
      Wanna be friends ?
      Things to note
      Lovers Corner
      Patch for Elkern.gen
      Patch for Klez.H
      Free Screensavers 4 U
      Project Sample Screensavers

    Message body: the worm contains several variants of the text forming the body of the infected message.
    The attachment is chosen from the following list and always has a src. or .exe extension (extensions of executable files in Windows):


    • The_Best.scr
      Codeproject.scr
      SQL_4_Free.scr
      I_Love_You.scr
      Stone.scr
      Sex.scrSoccer.scr
      Real.scr
      Plus6.scr
      Plus2.scr
      Playboy.scr
      Hardcore4Free.scr
      xxx4Free.scr
      Screensavers.scr
      Peace.scr
      Body_Building.scr
      Services.scr
      VXer_The_LoveStory.scr
      Hacker_The_LoveStory.scr
      World_Tour.scr
      up_life.scr
      Sweetheart.scr
      Sexy_Jenna.scr
      Jenna_Jemson.scr
      zDenka.scr
      Ravs.scr
      Free_Love_Screensavers.scr
      Romeo_Juliet.scr
      Hacker.scr
      KOF_Fighting.exe
      KOF_Sample.exe
      KOF_Demo.exe
      KOF_The_Game.exe
      KOF2002.exe
      King_of_Figthers.exe
      KOF.exe
      My_Sexy_Pic.scr
      MyProfile.scr
      Ways_To_Earn_Money.exe
      Beautifull.scr
      Valentines_Day.scr
      zXXX_BROWSER.exe
      Britney_Sample.scr
      THEROCK.scr
      FreakOut.exe
      MyPic.scr
      Notes.exe
      Cupid.scr
      FixElkern.com
      FixKlez.com
      Romantic.scr
      Project.exe Love.scr


    System infection:
    When activated the worm copies itself to the Windows/System folder (in Windows 9x and Windows ME it is usually C:\Windows\System, in Windows NT/2000 - C:\WINNT\System32, in Windows XP -C:\Windows\System32) in the form of three files:


    • nav32_loader.exe
      tcpsvs32.exe
      WinServices.exe


    To secure its automatic execution at every Windows start-up the worm introduces changes to the following registry entries:
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WinServices\
      WinServices = “%System%\WinServices.exe
    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
      WinServices = “%System%\WinServices.exe

    To get activated when any executable file is run the worm adds the value “%System%\nav32_loader.exe””%1”%* To the registry entry

    HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"

    Under Windows NT/2000 the worm copies itself as one of the following files:


    • hotmail_hack.exe
      friendship.scr
      world_of_friendship.scr
      shake.scr
      Sweet.scr
      Be_Happy.scr
      Friend_Finder.exe
      I_Like_You.scr
      love.scr
      dance.scr
      GC_Messenger.exe
      True_Love.scr
      Friend_Happy.scr
      Best_Friend.scr life.scr
      colour_of_life.scr
      friendship_funny.scr
      funny.scr

    Having hit the system the worm performs the following actions:
    • Tries to terminate the follwoing anti-virus programs, firewalls or other security related software:


      • REGEDIT
        ACKWIN32
        F-AGNT95
        SWEEP95
        VET95
        N32SCANW
        _AVPM
        LOCKDOWNADVANCED
        NSPLUGIN
        NSCHEDNT
        NRESQ32
        NPSSVC
        NOD32
        _AVPCC
        _AVP32
        NORTON
        NVC95
        FP-WIN
        IOMON98
        PCCWIN98
        F-PROT95
        F-STOPW
        PVIEW95
        NAVWNT
        NAVRUNR
        NAVLU32
        NAVAPSVC
        NISUM
        SYMPROXYSVC
        RESCUE32
        NISSERV
        VSECOMR
        VETTRAY
        TDS2-NT
        TDS2-98
        SCAN32
        PCFWALLICON
        NSCHED32
        IAMSERV.EXE
        FRW.EXE
        MCAFEE
        ATRACK
        IAMAPP
        LUCOMSERVER
        LUALL
        NMAIN
        NAVW32
        NAVAPW32
        VSSTAT
        VSHWIN32
        AVSYNMGR
        AVCONSOL
        WEBTRAP
        POP3TRAP
        PCCMAIN
        PCCIOMON
        ESAFE.EXE
        AVPM.EXE
        AVPCC.EXE
        AMON.EXE
        ALERTSVC
        ZONEALARM
        AVP32
        LOCKDOWN2000
        AVP.EXE
        CFINET32
        CFINET
        ICMON
        RMVTRJANSAFEWEB
        WEBSCANX
        PVIEW
        ANTIVIR
    • On March 25 or May 22 it displays a message on the screen:

      • Title You are my Best Friend
        Message: Happy Birthday Dear
      After "OK" button is pressed it swaps the mouse button functions.
    • It makes attempts to initiate a DoS-attack on a server located in Pakistan
    • It modifies the registry entry

      Page Software\Microsoft\Internet Explorer\Main

      thus changing the Internet Explorer start page for one of the following:
      http://www.unixhideout.com
      http://www.hirosh.tk
      http://www.neworder.box.sk
      http://www.blacksun.box.sk
      http://www.coderz.net
      http://www.hackers.com/html/neohaven.html
      http://www.ankitfadia.com
      http://www.hrvg.tk
      http://www.hackersclub.up.to
      http://geocities.com/snak33y3s
    • On Thursdays it changes the attributes of all files in My Documents folder for "hidden".
    • On Thursday it drops a text file named aYerHS.txt with the attribute "hidden" to Active Desktop.

    The present modification of the Yaha family worm slightly differs from other family representatives. But it deserves certain attention due to its rapid spreading in Internet. According to the Virus Alert Service of DialogueScience, Inc. the worm has been considerably present in the mail traffic since its appearance.

    Dr.Web® anti-virus program detects and successfully disinfects Win32.HLLM.Yaha.1. Should you have the resident SpIDer Guard enabled a mail message infected with the worm is of no danger to you. The users with SpIDer Mail installed can also feel absolutely protected. However, if the virus had hit your computer and infected it you should run Dr.Web® anti-virus scanner to cure the machine. The scanner will remove from the memory the process activated by the worm and restore the system registry.
     
  8. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    RAV AntiVirus: Win32/Yaha.K@mm

    RAV AntiVirus - Win32/Yaha.K@mm

    copy and paste from the URL mentioned above removed - see our new posting policy - paul
     
Thread Status:
Not open for further replies.