cvot.txt Yaha.E?

Discussion in 'malware problems & news' started by polo, Aug 1, 2002.

Thread Status:
Not open for further replies.
  1. polo

    polo Guest

    This file cvot.txt was found in c:\windows along with cvotcvot.dll. I believe my brother got an email in his hotmail account and decided to click on the .BAT attachment and McAfee inbuilt virus scanner stopped him and said it's a virus. Does the existence of these 2 strange files mean the PC is infected?

    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

    iNDian sNakes pResents yAha.E

    iNDian hACkers,Vxers c0me & w0Rk wITh uS & **** tHE GFORCE-pAK shites

    bY

    sNAkeeYes,c0Bra

    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
  3. Download the free removal tool: clrav.com.
    [Latest update: June-27-2002, v6.2.3]
    This removal tool can also be used to remove the following viruses:

    I-Worm.BleBla.b
    I-Worm.Navidad
    I-Worm.Sircam
    I-Worm.Goner
    I-Worm.Klez.a,e,f,h
    Win32.Elkern.c
    I-Worm.Lentin.a,b,c,d,e,f,g (aka) Yaha

    http://www.avp.ch/mindex.stm
     
  4. polo

    polo Guest

    So it does look my brother's PC is infected. But how come the McAfee virus alerted him when he decide to open the attachment but the PC is still infected. This was using web-based Hotmail. He doesn't use OE or Outlook.
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Polo,

    The proof of the pudding McaAfee indeed did the job, is checking the system - fe using the free app MN proposed in this thread ;).

    regards.


    paul
     
  6. polo

    polo Guest

    Huh? Don't follow. Could you rephrase your statement please. Do I have to remove the virus ASAP - will it "damage" my PC more if I don't remove?
    The proof of the pudding McaAfee indeed did the job, is checking the system - fe using the free app MN proposed in this thread
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Polo,

    I'd recommend cleaning your system asap indeed; not only this nastie will terminate a hugh range of anti-viruses and firewalls; it will (attempt to) spread using your system as well - thus disabling installed anti-viruses and firewalls on other systems as well.

    Please have a look at the specs in the link I provided earlier on (starting with http > until [/url] (copy and paste).

    regards.

    paul
     
  8. Polo,

    I will not tell you what to do with any system you or anyone else own..but I will give you this link at this forum about this virus and you can decide for yourself what you wish to do.

    https://www.wilderssecurity.com/showthread.php?t=1948

    If you want more info on the McAfee problem tell me the OS of the system and what version of McAfee he has...the lastest update he has and how he has it set to read web based email or email as a client when he downloads his email.

    I can not answers blind questions..and I do not have time to guess..never get much place with that in any case.
    But I will be glad to help you put the mystery to bed.
     
  9. polo

    polo Guest

    The machine in Win98 and IE 5.5. The version of McAfee is just the inbuilt one in Hotmail. If you use Hotmail you'll know.

    "The proof of the pudding McaAfee indeed did the job, is checking the system - fe using the free app MN proposed in this thread"

    Who/what is MN and what does "fe" mean? Confused!
     
  10. Who/what is MN and what does "fe" mean? Confused!

    He was refering to my post and I guess I would say that the "fe" is a typo and should be "re" so....


    Polo, why don't you consider downloading and run the tool that NM=MyNethingyman post. The standalone tool is called clrav.com and it will detect and clean a PC that is infect with that worm.


    I sugguest he install something on his machine other than the McAfee you mentioned.
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    MN,

    Thanks for translating my crypto-post :cool:.

    regards.

    paul
     
  12. polo

    polo Guest

    I''ll download the tool. You recommend the Kaspersky one over any other one from another AV company? Should he not use the PC at all until the worm is removed? Or can he use it for non-Internet work like using Microsoft Word?
     
  13. Polo,
    I like these free standalone tools also....Wilders has some available here ..but I will give you this link.


    http://www.pandasoftware.es/library/pqremove_en.htm

    Just remember that YAHA has another name LENTIN and at panda they use the latter.


    Name: W32/Lentin.E
    Alias: W32/Yaha.E


    They are not the way to go to stop the exploit..but when you are in a fix they do a nice job.

    Also ,if you are running Win 98 and the machine does
    have a GOBACK system to recover files...the virus/worm/Trojan could also end up in there..Since the files are compressed in that area to save space, they are in a forum that most AV's will not clean..but they will notify you that something is still amiss even after you clean.

    In this case you will have to manually clean and reset the goback to begin again at a present time..so one does not be re infected..or in the case for some.."their AV telling them that files of the badboy can not be clean.

    WinME and XP users have that problem all the time and it is confusing for them.
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Kaspersky is top notch - a splendid choice.

    Apart from the fact it's always better to clean an infected system asap: off-line only, if only to avoid the worm spreading and infecting others in the process.

    regards.

    paul
     
  15. polo

    polo Guest

    http://www.sophos.com/tools/readmes/readrmya.txt

    Is the Sophos removal tool good?

    http://www.microsoft.com/technet/security/bulletin/MS01-027.asp

    I understand from this that IE5 or 5.5 WITHOUT the patch are vunerable even if "launching IFRAME" is Disabledo_O
     
  16. polo

    polo Guest

    Hmmm, the Sophos removal tool looks a bit complicated to "install" compared to Kaspersky's clrav.com -- running clrav.com deleted the keys in the registry relating to the EXE file in the c:\recycled which is run start up. The EXE is deleted too.

    However c:\windows\temp\kitkat isn't and this shows up as infected in a Kaspersky AVP scan. The TXT and DLL file in c:\windows which this worm creates don't come up as infected... Why?

    It seems to me scanners and removal tools only look and delete for the important files (EXE COM etc) and you have to readup and delete the other less important fileso_O
     
  17. Hi Polo,

    You are an excellent Detective and this last statement is so very well persented for a Synopsis for this thread. You are beginning to be an EXPERT. :)

    I can tell you stoires still about Nimda and KLEZ where some of the well know AV products leave some of the setting and "pointer" on your system and people have run the Panda Tool..found them and could then clean them off.

    So it is a two way street. But you have to realize what is going on. All of these Fine product out there and then the tools..are doing the best they can to help all of us. The first goal in cause we DO get infect is to STOP IT so our systems do not crash or let the exploit continue. But since all of these" BADBOYS" are constantly in a state of being modified and bits added to them..it is so very hard to get all the scraps.

    That is why Paul and all the other MODS here at Wilders have their favorite AV/AT programs. They know the people who design the product..they know which ones work the best..and it is a constant struggle for all of the vendors to get the entire signature that is out there in the wild..and then to find the cure for EACH OS we are all running, much less clean off all the bit if infected.


    Good job Polo. Hang in there> ;)
     
  18. polo

    polo Guest

    I noticed that after running the Kaspersky remover that on booting up the DLL file is showing the last modified date prior to the remover running i.e. when the EXE and RUN key existed. So it isn't changing anymore and thus being used? In any case it can be deleted...

    Erm. should I run the Sophos one as a backup or I've removed all the important files as outlined in my previous post?
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    polo,

    A double check never did hurt anyone, in spite of the fact it turned out your system being clean.

    regards,

    paul
     
  20. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    In fact this Yaha.E also goes by a different name W32/Lentin.E and you can get another tool free from panda that I know cleans off this one...

    W32/Lentin.E (Panda).


    http://www.pandasoftware.es/library/pqremove_en.htm




    http://service.pandasoftware.es/servlet/panda.pandaInternet.EntradaDatosInternet;jsessionid=2431911035027562632?operacion=EV2FichaVirus&pestanaFicha=0&idioma=2&nombreVirusFicha=W32/Lentin.E


    How can I find out if my computer is infected?


    How can I protect my computer from W32/Lentin.E?


    How to repair the effects caused by W32/Lentin.E

    see here

    http://www.pandasoftware.com/library/W32LentinE_en.htm
     
  21. polo

    polo Guest

    I removed this worm using Kaspersky's tool but wanted to double check using Sophos. I was able to run RMYAHA.EXE *without* renaming it to .COM and get 0 results as expected ---I don't understand this:

    http://www.sophos.com/tools/readmes/readrmya.txt
    "If you removed the infected files prior to running RMYAHA, RMYAHA will not be able to run. In order to be able to run it, you should rename RMYAHA.EXE to RMYAHA.COM."

    BTW, how important is it to copy the files to a floppy on an uninfected PC, is this more of a precaution, as Kaspersky's didnt require this.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.