W32.Yaha.M@mm

Discussion in 'malware problems & news' started by Randy_Bell, Jan 7, 2003.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Symantec Security Response - W32.Yaha.M@mm

    The W32.Yaha.M@mm worm is a variant of W32.Yaha.L@mm. This variant of the worm terminates some antivirus and firewall processes. This worm uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and all the files whose extensions contain the letters HT. The email message has a randomly chosen subject line, message, and attachment.

    This threat is written in the Microsoft C++ language and is compressed with UPX. The uncompressed size is about 60 KB.

    Also Known As: W32/Yaha.M@mm [McAfee]
    Type: Worm
    Infection Length: 28,672 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux

    technical details

    When W32.Yaha.M@mm runs, it does the following:


    • 1. Displays this fake message:

      http://home.mindspring.com/~randybell2/Yaha_M_1.gif

      2. Copies itself as the following files and sets the attribute of the files to Hidden:
      • C:\%System%\WinServices.exe.
      • C:\%System%\Nav32_loader.exe
      • C:\%System%\Tcpsvs32.exe

      NOTE: %System% is a variable. The worm locates the Windows system folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Millenium), C:\Winnt\System32 (Windows 2000/NT/), or C:\Windows\System32 (Windows XP).

      3. Adds the value:

      • WinServices C:\%System%\WinServices.exe

        to the registry keys:

        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
        CurrentVersion\RunServices

        so that the worm runs when you start Windows.

      4. Configures itself to run each time an .exe file runs, by changing the (Default) value of the registry key:

      HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
      ommand

      to:

      C:\%System%\Nav32_loader.exe"%1 %*

      5. Creates the WinServices mutex. This mutex allows only one instance of the worm to execute in memory.

      6. May also copy itself to the \Windows\System folder as one of the following files:
      • Hotmail_hack.exe
      • Friendship.scr
      • World_of_friendship.scr
      • Shake.scr
      • Sweet.scr
      • Be_happy.scr
      • Friend_finder.exe
      • I_like_you.scr
      • Love.scr
      • Dance.scr
      • Gc_messenger.exe
      • True_love.scr
      • Friend_happy.scr
      • Best_friend.scr
      • Life.scr
      • Colour_of_life.scr
      • Friendship_funny.scr
      • Funny.scr

      7. Attempts to end the processes of popular antivirus and firewall programs. The worm inventories the active processes, and if the name of the process contains one of the following, it attempts to end the process:
      • ACKWIN32
      • F-AGNT95
      • SWEEP95
      • VET95
      • N32SCANW
      • _AVPM
      • LOCKDOWNADVANCED
      • NSPLUGIN
      • NSCHEDNT
      • NRESQ32
      • NPSSVC
      • NOD32
      • _AVPCC
      • _AVP32
      • NORTON
      • NVC95
      • FP-WIN
      • IOMON98
      • PCCWIN98
      • F-PROT95
      • F-STOPW
      • PVIEW95
      • NAVWNT
      • NAVRUNR
      • NAVLU32
      • NAVAPSVC
      • NISUM
      • SYMPROXYSVC
      • RESCUE32
      • NISSERV
      • VSECOMR
      • VETTRAY
      • TDS2-NT
      • TDS2-98
      • SCAN32
      • PCFWALLICON
      • NSCHED32
      • IAMSERV.EXE
      • FRW.EXE
      • MCAFEE
      • ATRACK
      • IAMAPP
      • LUCOMSERVER
      • LUALL
      • NMAIN
      • NAVW32
      • NAVAPW32
      • VSSTAT
      • VSHWIN32
      • AVSYNMGR
      • AVCONSOL
      • WEBTRAP
      • POP3TRAP
      • PCCMAIN
      • PCCIOMON
      • ESAFE.EXE
      • AVPM.EXE
      • AVPCC.EXE
      • AMON.EXE
      • ALERTSVC
      • ZONEALARM
      • AVP32
      • LOCKDOWN2000
      • AVP.EXE
      • CFINET32
      • CFINET
      • ICMON
      • RMVTRJANSAFEWEB
      • WEBSCANX
      • PVIEW
      • ANTIVIR

        Additionally, if the infected computer is a Windows NT/2000/XP system, the worm will automatically terminate the Windows Task Manager program from memory.

      8. Attempts to perform a Denial of Service (DoS) attack against the Web site: www.infopak.gov.pk

    Email Routine Details

    The worm uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and all the files whose extensions contain the letters HT. It attempts to use the infected computer's default SMTP server to send mail. If the worm cannot find this information, then it uses one of the many SMTP server addresses, which are hard-coded into the worm. The email message has the following characteristics:

    Subject: The subject line is one of the following:

    • Are you the BEST
    • Free Win32 API source
    • Learn SQL 4 Free
    • I Love You..
    • Wanna be like a stone ?
    • Are you a Soccer Fan ?
    • Sexy Screensavers 4 U
    • Check it out
    • Sample Playboy
    • Hardcore Screensavers 4 U
    • XXX Screensavers 4 U
    • We want peace
    • Wanna be a HE-MAN
    • Visit us
    • One Virus Writer's Story
    • One Hacker's Love
    • World Tour
    • Whats up
    • Wanna be my sweetheart ??
    • Screensavers from Club Jenna
    • Jenna 4 U
    • Free rAVs Screensavers
    • Feel the fragrance of Love
    • Wanna Hack ??
    • Sample KOF 2002
    • The King of KOF
    • Wanna Brawl ??
    • Wanna Rumble ??
    • Play KOF 2002 4 Free
    • Demo KOF 2002
    • Free Demo Game
    • Wanna be friends ??
    • Need money ??
    • Are you beautiful
    • Who is your Valentine
    • Free Screenavers of Love
    • Free XXX
    • Free Screensavers
    • WWE Screensavers
    • Freak Out
    • Wanna be friends ?
    • Things to note
    • Lovers Corner
    • Patch for Elkern.gen
    • Patch for Klez.H
    • Free Screensavers 4 U
    • Project
    • Sample Screensavers
    • Are you in Love
    • I am in Love
    • I Love You
    • You are so sweet
    • The Hotmail Hack
    • U realy Want this
    • to ur lovers
    • to ur friends
    • Find a good friend
    • Learn How To Love
    • Are you looking for Love
    • Wowwwwwwwwwww check it
    • Check ur friends Circle
    • The world of Friendship
    • Shake it baby
    • How sweet this Screen saver
    • war Againest Loneliness
    • Need a friend?
    • Say 'I Like You' To ur friend
    • love speaks from the heart
    • Let's Dance and forget pains
    • Looking for Friendship
    • True Love
    • make ur friend happy
    • Who is ur Best Friend
    • hey check it yaar
    • Check this ****
    • Hello
    • Hi

    Message: The message can be one of the following:

    • hey,
      did u always dreamnt of hacking ur friends hotmail account..
      finally i got a hotmail hack from the internet that really works..
      ur my best friend thats why sending to u..
      check it..just run it..enter victim's address and u will get the pass.
    • hi,
      check the attached love screensaver
      and feel the fragrance of true love..
    • Hi,
      check the attached screensaver..
      its really wonderfool..
      i got it from freescreensavers.com
    • Hi,
      check ur friends circle using the attached friendship screensaver..
      check the attached screensaver
      and if u like it send it to all those you consider
      to be true friends... if it comes back to you then
      you will know that you have a circle of friends..
    • Hi,
      check the attached screensaver
      and enjoy the world of friendship..
    • Hi,
      are u in a rocking mood...
      check the attached scrennsaver and start shaking..
    • Hi,
      Check the attached screensaver..
    • Hi,
      Are you lonely ??..
      check the attached screensaver and
      forget the pain of loneliness
    • Hi,
      Looking for online pals..
      check the attached friend finder software..
    • Hi,
      sending you a screensaver..
      check it and let me know how it is...
    • Hi,
      Check the attached screensaver
      and feel the fragrance of true love...
    • Hey,
      I just got this wonderfull screensaver from freescreensaver.com..
      Just check it out and let me know how it is..
      I just came across it.. check out..
      =====================================================================
      Are you one of those unfortunate human beings who are desperately
      looking for friends.. but still not getting true friends with whom
      you can share your everything..

      anyway you wont feel down any more cause GC Chat Network has brought
      up a global chat and online match making system using its own GC
      Messenger. Attached is the fully functional free version of GC
      Instant Messenger and Match Making client..
      Just install, register an account with us and find thousands of online
      pals all over the world..
      You can also search for friends by specific country,city,region etc.

      Regards Admin,
      GC Global Chat Network System..
    • Hi,
      So you think you are in love..
      is it true love ? you may think right now that you are in
      true love but it is certainly possible that it is nothing
      but a mere infatuation to you..

      anyway to know yourself better than you have ever known check
      the attached screensaver and feel the fragrance of true love..
    • Hey pal,
      you know friendship is like a business...
      to get something you need to give something..
      though its not that harsh as business but to
      get love and care from your friends you need to give
      love,care and respect to your friends.. right {BR>
      check the attached screensaver and you will learn how to
      make your friends happy..
    • Hi,
      Its quite obvious that in our life we have numerous friends
      but.. BUT Best Friend can only be ONE.. right {BR>so can you decide who is your best friend {BR>i guess not.. cause mostly you will find that your best friend
      wont care about u like somebody else..

      anyway i found one way to find who is my best friend..
      check it..
      just check the attached screensaver.. answer some questions
      in it and also ask your best friend to answer the questions..

      ..then you will know more about him..
    • Hey pal,
      wanna have some fun in life... {BR>feel like life is too boring and monotonous..
      check the attached screensaver and bring colours
      to your black & white life.. :)
    • Hi,
      I just came across this funny screensaver..
      sending it to u.. hope u like it..
      check out and die laughing.. :)
    • <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

      This E-Mail is never sent unsolicited. If you receive this
      E-Mail then it is because you have subscribed to the official
      newsletter at the KOF ONLINE website.

      King Of Fighters is one of the greatest action game ever made.
      Now after the mind boggling sucess of KOF 2001 SNK proudly
      presents to you KOF 2002 with 4 new charecters.
      Even though we need no publicity for our product but this
      time we have decided to give away a fully functional trial
      version of KOF 2002. So check out the attached trial version
      of KOF 2002 and register at our official website to get a free
      copy of KOF2002 original version

      Best Regards,
      Admin,KOF ONLINE..

      <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>
    • Hello,
      I just came across your email ID while searching in the Yahoo profiles.
      Actually I want a true friend 4 life with whom I can share my everything.
      So if you are interested in being my friend 4 life then mail me.

      If you wanna know about me, attached is my profile along with some of my
      pics. You can check and if you like it then do mail me.
      I will be waiting for your mail.

      Best Wishes,
      Your Friend..
    • Hello,
      Looking for some Hardcore mind boggling action ?
      Install the attached browser software and browse
      across millions of paid hardcore sex sites for free.
      Using the software you can safely and easily browse
      across most of the hardcore XXX paid sites across the
      internet for free. Using it you can also clean all
      traces of your web browsing from your computer.

      Note:The attached browser software is made exclusivley
      for demo only. You can use the software for a limited
      time of 35 days after which you have to register it
      at our official website for its furthur use.

      Regards,
      Admin.
    • Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC
    • Hello,
      The attached product is send as a part of our official campaign
      for the popularity of our product.
      You have been chosen to try a free fully functional sample of our
      product.If you are satified then you can send it to your friends.
      All you have to do is to install the software and register an account
      with us using the links provided in the software. Then send this software
      to your friends using your account ID and for each person who registers
      with us through your account, we will pay you $1.5.Once your account reaches
      the limit of $50, your payment will be send to your registration address by
      check or draft.
      Please note that the registration process is completely free which means
      by participating in this program you will only gain without loosing anything.

      Best Regards,
      Admin,

    Attachment: The attachment is one of the following:

    • The_Best.scr
    • Codeproject.scr
    • SQL_4_Free.scr
    • I_Love_You.scr
    • Stone.scr
    • Sex.scrSoccer.scr
    • Real.scr
    • Plus6.scr
    • Plus2.scr
    • Playboy.scr
    • Hardcore4Free.scr
    • xxx4Free.scr
    • Screensavers.scr
    • Peace.scr
    • Body_Building.scr
    • Services.scr
    • VXer_The_LoveStory.scr
    • Hacker_The_LoveStory.scr
    • World_Tour.scr
    • up_life.scr
    • Sweetheart.scr
    • Sexy_Jenna.scr
    • Jenna_Jemson.scr
    • zDenka.scr
    • Ravs.scr
    • Free_Love_Screensavers.scr
    • Romeo_Juliet.scr
    • Hacker.scr
    • KOF_Fighting.exe
    • KOF_Sample.exe
    • KOF_Demo.exe
    • KOF_The_Game.exe
    • KOF2002.exe
    • King_of_Figthers.exe
    • KOF.exe
    • My_Sexy_Pic.scr
    • MyProfile.scr
    • Ways_To_Earn_Money.exe
    • Beautifull.scr
    • Valentines_Day.scr
    • zXXX_BROWSER.exe
    • Britney_Sample.scr
    • THEROCK.scr
    • FreakOut.exe
    • MyPic.scr
    • Notes.exe
    • Cupid.scr
    • FixElkern.com
    • FixKlez.com
    • Romantic.scr
    • Project.exe
    • Love.scr
    • friendship_funny.scr
    • Colour_of_life.scr
    • Life.scr
    • Best_friend.scr
    • Friend_happy.scr
    • True_love.scr
    • Gc_messenger_exe
    • Dance.scr
    • I_like_you.scr
    • Friend_finder_exe
    • Be_happy.scr
    • Sweet.scr
    • Shake.scr
    • World_of_friendship.scr
    • Friendship.scr
    • Funny.scr
    • Hotmail_hack_exe.scr

    From: The From field is a fake email address constructed from one of these:

    • Klein Anderson
    • Codeproject
    • SQL Library
    • me2K
    • Rocking Stone
    • Super Soccer
    • Sexy Screensavers
    • Real Inc.
    • Plus 6
    • Plus 2
    • Playboy Inc.
    • Hardcore Screensavers
    • XXX Screensavers
    • Nomadic Screensavers
    • Keanu Stevenson
    • Nicolas Schwarzeneggar
    • admin@hackersclub.com
    • admin@viruswriters.com
    • admin@hackers.com
    • Paul Owen
    • Benting
    • Veronica Anderson
    • Club Jenna
    • Jenna Jameson
    • Zdenka Podkapova
    • Raveena Pusanova
    • Screensavers of Love
    • Romeo & Juliet
    • Jaucques Antonio Barkinstein
    • Cathy Kindergarten
    • KOF Online
    • Omega Rugal
    • Terry Bogard
    • Iori Yagami
    • Kyo Kusanagi
    • Clark Steel
    • Ralph Jones
    • Jasmine Stevens
    • Ross Anderson
    • John Vandervochich
    • American Beauty
    • Valentine Screensavers
    • Lovers Screensavers
    • zporNstarS
    • britneyspears.org
    • The Rock
    • Noopman
    • Susan
    • Jonathan
    • Cupid
    • McAfee Inc.
    • Norton Antivirus
    • Trend Micro
    • Romantic Screensavers
    • Jericho
    • Love Inc.

    followed by one of these:

    • kl@aminoprojects.com
    • admin@codeproject.com
    • free@sql.library.com
    • me@me2K.com
    • stone@esterplaza.com
    • marketing@suppersoccer.com
    • free@sexyscreensavers.com
    • sales@real.com
    • plus@real.com
    • sales@playboy.com
    • free@hardcorescreensavers.com
    • free@xxxscreensavers.com
    • kkn@k2k.comscreensavers@nomadic.com
    • nics@nomadic.com
    • paul@kqscore.com
    • btq@263.com
    • services@tcsonline.com
    • admin@clubjenna.com
    • jenna@jennajameson.com
    • zdenka@zpornstars.com
    • ravs@go2pussy.com
    • love@lovescreensavers.com
    • DNA_seraph@163.com
    • super@21cn.com
    • cathy@21cn.com
    • admin@kofonline.com
    • zhouyuye@citiz.net
    • lubing@7135.com
    • hamada@seikosangyo.com
    • luoairong@21cn.com
    • valentinescreensavers@t2k.com
    • screensavers@lovers.com
    • admin@zpornstars.com
    • newsletters@britneyspears.org
    • therock@wwe.com
    • ericpan@online.com.pk
    • samsun@online.sh.cn
    • yjworks@online.sh.cn
    • cupid@freescreensavers.com
    • av_patch@mcafee.com
    • av_patch@norton.com
    • av_patch@trendmicro.com
    • romanticscreensavers@love.com
    • caijob@online.sh.cn
    • loverscreensavers@love.com

    Payload

    • If the system date is March 25 or May 22, the worm displays the following message and switches the functions of the left and right mouse buttons:

      http://home.mindspring.com/~randybell2/Yaha_M_2.gif
    • If the system day is Thursday, the worm performs these actions:

      • 1. Randomly changes the Value data of the Start Page value in the registry key:

        HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

        to one of these:
        • http:/ /www.unixhideout.com
        • http:/ /www.hirosh.tk
        • http:/ /www.neworder.box.sk
        • http:/ /www.blacksun.box.sk
        • http:/ /www.coderz.net
        • http:/ /www.hackers.com/html/neohaven.html
        • http:/ /www.ankitfadia.com
        • http:/ /www.hrvg.tk
        • http:/ /www.hackersclub.up.to
        • http:/ /geocities.com/snak33y3s

        or to a similar Web site.

        2. Retrieves the location of the current user's Documents folder from the registry key:

        HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
        Explorer\Shell Folders

        And, then it sets the attributes of this folder, all the subfolders in this folder, and all the files in this folder and its subfolders to Hidden. In most cases, this folder is the \My Documents folder.

    removal instructions

    NOTE: If the worm has not run, and your Symantec antivirus product detects W32.Yaha.M@mm either in an email message, or when the worm attempts to run, delete it.

    If the worm has run, do the following:


    • 1. Download the updated virus definitions using the Intelligent Updater, but do not install them.
      2. Restart the computer in Safe mode.
      3. Copy Regedit.exe to Regedit.com.
      4. Edit the registry and reverse the changes the worm made.
      5. Start your Symantec antivirus software. If it does not start or properly function, re-install it.
      6. Install the Intelligent Updater virus definitions you downloaded earlier (step 1).
      7. Run a full system scan and delete the files detected as W32.Yaha.M@mm

    4. Editing the registry and reversing the changes the worm made

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the specified keys. Read the document, "How to make a backup of the Windows registry" for instructions.


    • 1. Navigate to and select the following key:

      HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
      ommand

      CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the
      ommand subkey.

      Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
      ommand subkey, shown in the following figure:

      http://home.mindspring.com/~randybell2/Yaha.J_2.gif<<=== NOTE: Modify this key.

      2. In the right pane, double-click the (Default) value.
      3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

      NOTES:
      On Windows 95/98/Millenium and Windows NT systems, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

      ""%1" %*"

      On Windows 2000/XP systems, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:

      "%1" %*

      Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document and make sure that you completely remove the current value data.

      4. Navigate in turn to each of the following keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\RunServices

      NOTE: The RunServices key may not exist on all the systems.

      5. In the right pane, delete the value

      WinServices C:\%System%\WinServices.exe


      6. Exit the registry editor.
     
    Randy_Bell, Jan 7, 2003
    #1
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    McAfee: W32/Yaha.m

    McAfee Security - W32/Yaha.m

    Name: W32/Yaha.m
    Risk Assessment
    - Home Users: Low
    - Corporate Users: Low
    Date Discovered: 1/6/2003
    Date Added: 1/6/2003
    Origin: Unknown
    Length: 28,672 bytes (UPX packed)
    Type: Virus
    SubType: E-mail worm
    DAT Required: 4241

    Virus Characteristics

    This worm propagates via email using its own built-in SMTP engine. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against a remote machine (the target is hard-coded within the worm).

    Unlike previous W32/Yaha variants, this variant displays a fake error message when first executed on the victim machine:

    http://vil.nai.com/images/99943.gif

    The worm arrives as an attachment to a message formatted as follows:

    From: The from address may be forged (or spoofed) by the virus in such a way that the apparent sender is not the actual sender. The virus caries a list of addresses that it uses as the from address:

    • admin@codeproject.com
    • free@sql.library.com
    • me@me2K.com
    • stone@esterplaza.com
    • marketing@suppersoccer.com
    • free@sexyscreensavers.com
    • sales@real.com
    • plus@real.com
    • sales@playboy.com
    • free@hardcorescreensavers.com
    • free@xxxscreensavers.com
    • kkn@k2k.com
    • screensavers@nomadic.com
    • nics@nomadic.com
    • paul@kqscore.com
    • btq@263.com
    • services@tcsonline.com
    • admin@clubjenna.com
    • jenna@jennajameson.com
    • zdenka@zpornstars.com
    • ravs@go2pussy.com
    • love@lovescreensavers.com
    • DNA_seraph@163.com
    • super@21cn.com
    • cathy@21cn.com
    • admin@kofonline.com
    • zhouyuye@citiz.net
    • lubing@7135.com
    • hamada@seikosangyo.com
    • luoairong@21cn.com
    • valentinescreensavers@t2k.com
    • screensavers@lovers.com
    • admin@zpornstars.com
    • newsletters@britneyspears.org
    • therock@wwe.com
    • ericpan@online.com.pk
    • samsun@online.sh.cn
    • yjworks@online.sh.cn
    • cupid@freescreensavers.com
    • av_patch@mcafee.com
    • av_patch@norton.com
    • av_patch@trendmicro.com
    • romanticscreensavers@love.com
    • caijob@online.sh.cn
    • loverscreensavers@love.com

    Subject: (chosen from the following list:)

    • Are you a Soccer Fan ?
    • Are you beautiful
    • Are you the BEST
    • Check it out
    • Demo KOF 2002
    • Feel the fragrance of Love
    • Freak Out
    • Free Demo Game
    • Free rAVs Screensavers
    • Free Screenavers of Love
    • Free Screensavers
    • Free Screensavers 4 U
    • Free Win32 API source
    • Free XXX
    • Hardcore Screensavers 4 U
    • I Love You..
    • Jenna 4 U
    • Learn SQL 4 Free
    • Lovers Corner
    • Need money ??
    • One Hacker's Love
    • One Virus Writer's Story
    • Patch for Elkern.gen
    • Patch for Klez.H
    • Play KOF 2002 4 Free
    • Project Sample Screensavers
    • Sample KOF 2002
    • Sample Playboy
    • Screensavers from Club Jenna
    • Sexy Screensavers 4 U
    • The King of KOF Wanna Brawl ??
    • Things to note
    • Visit us
    • Wanna be a HE-MAN
    • Wanna be friends ?
    • Wanna be friends ?
    • Wanna be like a stone ?
    • Wanna be my sweetheart ??
    • Wanna Hack ??
    • Wanna Rumble ??
    • We want peace
    • Whats up
    • Who is your Valentine
    • World Tour
    • WWE Screensavers
    • XXX Screensavers 4 U

    Attachment: Possible filenames include:

    • Beautifull.scr
    • Body_Building.scr
    • Britney_Sample.scr
    • Codeproject.scr
    • Cupid.scr
    • FixElkern.com
    • FixKlez.com
    • FreakOut.exe
    • Free_Love_Screensavers.scr
    • Hacker.scr
    • Hacker_The_LoveStory.scr
    • Hardcore4Free.scr
    • I_Love_You.scr
    • Jenna_Jemson.scr
    • King_of_Figthers.exe
    • KOF.exe
    • KOF_Demo.exe
    • KOF_Fighting.exe
    • KOF_Sample.exe
    • KOF_The_Game.exe
    • KOF2002.exe
    • Love.scr
    • My_Sexy_Pic.scr
    • MyPic.scr
    • MyProfile.scr
    • Notes.exe
    • Peace.scr
    • Playboy.scr
    • Plus2.scr
    • Plus6.scr
    • Project.exe
    • Ravs.scr
    • Real.scr
    • Romantic.scr
    • Romeo_Juliet.scr
    • Screensavers.scr
    • Services.scr
    • Sex.scrSoccer.scr
    • Sexy_Jenna.scr
    • SQL_4_Free.scr
    • Stone.scr
    • Sweetheart.scr
    • The_Best.scr
    • THEROCK.scr
    • up_life.scr
    • Valentines_Day.scr
    • VXer_The_LoveStory.scr
    • Ways_To_Earn_Money.exe
    • World_Tour.scr
    • xxx4Free.scr
    • zDenka.scr
    • zXXX_BROWSER.exe

    Message Body: Strings within the virus suggest multiple possible message body contents (body contents and attachment filename chosen together):


    • hey,
      did u always dreamnt of hacking ur friends hotmail account..
      finally i got a hotmail hack from the internet that really works..
      ur my best friend thats why sending to u..
      check it..just run it..enter victim's address and u will get the pass.

      hi,
      check the attached love screensaver
      and feel the fragrance of true love..

      Hi,
      check the attached screensaver..
      its really wonderfool..
      i got it from freescreensavers.com

      Hi,
      check ur friends circle using the attached friendship screensaver..
      check the attached screensaver
      and if u like it send it to all those you consider
      to be true friends... if it comes back to you then
      you will know that you have a circle of friends..

      Hi,
      check the attached screensaver
      and enjoy the world of friendship..

      Hi,
      are u in a rocking mood...
      check the attached scrennsaver and start shaking..

      Hi,
      Check the attached screensaver..

      Hi,
      Are you lonely ??..
      check the attached screensaver and
      forget the pain of loneliness

      Hi,
      Looking for online pals..
      check the attached friend finder software..

      Hi,
      sending you a screensaver..
      checkit and let me know how it is...

      Hi,
      Check the attached screensaver
      and feel the fragrance of true love...

      Hey,
      I just got this wonderfull screensaver from freescreensaver.com..
      Just check it out and let me know how it is..

      Hi,? I just came across it.. check out..??=====================================================================
      Are you one of those unfortunate human beings who are desperately
      looking for friends.. but still not getting true friends with whom
      you can share your everything..

      anyway you wont feel down any more cause GC Chat Network has brought
      up a global chat and online match making system using its own GC
      Messenger. Attached is the fully functional free version of GC
      Instant Messenger and Match Making client..
      Just install, register an account with us and find thousands of online
      pals all over the world..
      You can also search for friends by specific country,city,region etc.

      Regards Admin,
      GC Global Chat Network System..

      Hi,
      So you think you are in love..
      is it true love ? you may think right now that you are in
      true love but it is certainly possible that it is nothing
      but a mere infatuation to you..

      anyway to know yourself better than you have ever known check
      the attached screensaver and feel the fragrance of true love..

      Hey pal,
      you know friendship is like a business...
      to get something you need to give something..
      though its not that harsh as business but to
      get love and care from your friends you need to give
      love,care and respect to your friends.. right{BR>
      check the attached screensaver and you will learn how to
      make your friends happy..

      Hi,
      Its quite obvious that in our life we have numerous friends
      but.. BUT Best Friend can only be ONE.. right {BR>so can you decide who is your best friend {BR>i guess not.. cause mostly you will find that your best friend
      wont care about u like somebody else..

      anyway i found one way to find who is my best friend..
      check it..
      just check the attached screensaver.. answer some questions
      in it and also ask your best friend to answer the questions..

      ..then you will know more about him..

      Hey pal,
      wanna have some fun in life... {BR>feel like life is too boring and monotonous..
      check the attached screensaver and bring colours
      to your black & white life.. :)

      Hi,
      I just came across this funny screensaver..
      sending it to u.. hope u like it..
      check out and die laughing.. :)

      <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

      This E-Mail is never sent unsolicited. If you receive this
      E-Mail then it is because you have subscribed to the official
      newsletter at the KOF ONLINE website.

      King Of Fighters is oneof the greatest action game ever made.
      Now after the mind boggling sucess of KOF 2001 SNK proudly
      presents to you KOF 2002 with 4 new charecters.

      Even though we need no publicity for our product but this
      time we have decided to give away a fully functional trial
      version of KOF 2002. So check out the attached trial version
      of KOF 2002 and register at our official website toget a free
      copy of KOF2002 original version

      Best Regards,
      Admin,KOF ONLINE..

      <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

      Hello,
      I just came across your email ID while searching in the Yahoo profiles.
      Actually I want a true friend 4 life with whom I can share my everything.
      So if you areinterested in being my friend 4 life then mail me.

      If you wanna know about me, attached is my profile along with some of my
      pics. You can check and if you like it then do mail me.
      I will be waiting for your mail.

      Best Wishes,
      Your Friend..

      Hello,
      Looking for some Hardcore mind boggling action ?
      Install the attached browser software and browse
      across millions of paid hardcore sex sites for free.
      Using the software you can safely and easily browse
      across most of the hardcore XXX paid sites across the
      internet for free. Using it you can also clean all
      traces of your web browsing from your computer.

      Note:The attached browser software is made exclusivley
      for demo only. You can use the software for a limited
      time of 35 days after which you have to register it
      at our official website for its furthur use.

      Regards,
      Admin.

      Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files.

      Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.

      We developed this free immunity tool to defeat the malicious virus.

      You only need to run this tool once,and then Klez will never come into your PC

      Hello,
      The attached product is send as a part of our official campaign
      for the popularity of our product.
      You have been chosen to try a free fully functional sample of our
      product.If you are satifiedthen you can send it to your friends.
      All you have to do is to install the software and register an account
      with us using the links provided in the software. Then send this software
      to your friends using your account ID and for each person who registers
      with us through your account, we will pay you $1.5.Once your account reaches
      the limit of $50, your payment will be send to your registration address by
      check or draft.

      Please note that the registration process is completely free which means
      by participating in this program you will only gain without loosing anything.

      Best Regards,
      Admin,

      This version of the W32/Yaha worm does not contain the strings common to other variants, (for example, the W32/Yaha.l variant).

      Indications Of Infection

      The virus copies itself into the Windows System directory (eg. C:\WINDOWS\SYSTEM) multiple times, using the following filenames:
      • NAV32_LOADER.EXE
      • TCPSVS32.EXE
      • WINSERVICES.EXE

      System startup is hooked by adding the following Registry keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      "WinServices"= C:\WINDOWS\SYSTEM\WinServices.exe

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
      "WinServices" = C:\WINDOWS\SYSTEM\WinServices.exe

      The subsequent execution of EXE files is also hooked, via modifying the following key:

      HKEY_CLASSES_ROOT\exefile\shell\open
      ommand "(Default)"
      which is changed from:

      "%1" %*

      to:

      "C:\WINDOWS\SYSTEM\nav32_loader.exe""%1"%*

      In testing on NT/2000 systems, the virus was observed to make copies of itself in the Windows System directory using a filename from the following list:
      • hotmail_hack.exe
      • friendship.scr
      • world_of_friendship.scr
      • shake.scr
      • Sweet.scr
      • Be_Happy.scr
      • Friend_Finder.exe
      • I_Like_You.scr
      • love.scr
      • dance.scr
      • GC_Messenger.exe
      • True_Love.scr
      • Friend_Happy.scr
      • Best_Friend.scr life.scr
      • colour_of_life.scr
      • friendship_funny.scr
      • funny.scr

      The virus terminates processes those matching the following (the list is hard-coded within the virus):
      • _AVP32
      • _AVPCC
      • _AVPM
      • ACKWIN32
      • ALERTSVC
      • AMON.EXE
      • ANTIVIR
      • ATRACK
      • AVCONSOL
      • AVP.EXE
      • AVP32
      • AVPCC.EXE
      • AVPM.EXE
      • AVSYNMGR
      • CFINET
      • CFINET32
      • ESAFE.EXE
      • F-AGNT95
      • F-PROT95
      • F-STOPW
      • FP-WIN
      • FRW.EXE
      • IAMAPP
      • IAMSERV.EXE
      • ICMON
      • IOMON98
      • LOCKDOWN2000
      • LOCKDOWNADVANCED
      • LUALL
      • LUCOMSERVER
      • MCAFEE
      • N32SCANW
      • NAVAPSVC
      • NAVAPW32
      • NAVLU32
      • NAVRUNR
      • NAVW32
      • NAVWNT
      • NISSERV
      • NISUM
      • NMAIN
      • NOD32
      • NORTON
      • NPSSVC
      • NRESQ32
      • NSCHED32
      • NSCHEDNT
      • NSPLUGIN
      • NVC95
      • PCCIOMON
      • PCCMAIN
      • PCCWIN98
      • PCFWALLICON
      • POP3TRAP
      • PVIEW
      • PVIEW95
      • REGEDIT
      • RESCUE32
      • RMVTRJANSAFEWEB
      • SCAN32
      • SWEEP95
      • SYMPROXYSVC
      • TDS2-98
      • TDS2-NT
      • VET95
      • VETTRAY
      • VSECOMR
      • VSHWIN32
      • VSSTAT
      • WEBSCANX
      • WEBTRAP
      • ZONEALARM

      Method Of Infection

      The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).

      The virus tries to gather email addresses from MAILTO links within *ht*, and *HoTMaiL* files, the Windows Address Book, MSN Messenger contacts, Yahoo Pager contacts. Messages are sent to the addresses found as mentionned above, using SMTP. The default SMTP server is retrieved from the registry:
      • HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

      Removal Instructions

      Use current engine and DAT files for detection and removal.

      Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

      This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

      Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

      • 1. Ensure that you are using the minimum DAT (specified above) or higher
        2. Close all running applications
        3. Disconnect the system from the network
        4. Click START | RUN, type command and hit ENTER
        5. Change to the VirusScan engine directory:

        • Win9x/Millenium - Type cd \progra~1
          ommon~1\networ~1\viruss~1\40~1.xx           and hit ENTER
          WinNT/2K/XP - Type cd \progra~1
          ommon~1\networ~1\viruss~1\4.0.xx           and hit ENTER
        6. Type scan.exe /adl /clean and hit ENTER
        7. After scanning and removal is complete, reboot the system and reconnect to the network

        Additional Windows ME/XP removal considerations
     
    Randy_Bell, Jan 7, 2003
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...