Name: W32/Yaha-B Type: Win32 worm Date: 3 April 2002 At the time of writing Sophos has received just one report of this worm from the wild. Description: W32/Yaha-B is a Win32 worm which makes two copies of itself in C:\Recycled. The first copy has a name made up of five randomly generated characters and an EXE extension; the second has the same name with an extra "f" on the end. The worm then sets the following registry value so that the worm is run first whenever an EXE file is executed: HKCR\exefile\shell\open\command\(default) = "C:\Recycled\.exe %1 %*" When the worm is executed it will start a screensaver that will manipulate the Desktop display. The user can exit this screen saver in the usual manner. W32/Yaha-B sends itself as an attachment to emails with the following characteristics: Subject line: Enjoy this friendship-joke Screen Saver!!!! or Fw : Enjoy this friendship-joke Screen Saver!!!! or Have a nice day!!!! Message body: This email is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. Enjoy this friendship-joke Screen Saver and Check ur friends circle... Send this screensaver from xww.friendship.com to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a cirle of friends. *To remove yourself from this mailing list, point your browser to: xxxx:x/xfriendship.x/remove?freescreensaver *Enter your email address () in the field provided and click "Unsubscribe". OR... *Reply to this message with the word "REMOVE" in the subject line. This message was sent to address X-PMG-Recipient: Attached file: Friends.scr The emails are sent to addresses from the Windows Address Book (WAB) and to addresses found in *.HT* files. This worm will also attempt to send SMS messages to <number>@xbplmobile.com and <number>@xescotelmobile.com, where <number> is randomly generated apart from an initial five digit code. The Internet Explorer start up page will be changed to one of the following seven addresses: xww.malayalmanorama.com, xww.asianetglobal.com, xww.kerala.com, xww.india.com, xww.malayalamchannel.com, xww.sunnt.com/suryatv, xww.achayans.com. A plain text file with the same randomly generated name as the copy of the worm in C:\Recycled will be dropped in the Windows directory. Read the analysis at http://www.sophos.com/virusinfo/analyses/w32yahab.html Note by FanJ: I have changed the links a little bit to prevent that a reader might click on it.