Discussion in 'malware problems & news' started by Randy_Bell, Dec 31, 2002.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Symantec Security Response - W32.Yaha.L@mm

    W32.Yaha.L@mm is a worm that is a variant of W32.Yaha.K@mm. The differences between the variants do not visibly manifest themselves, so the characteristics of each will be the same.

    Type: Worm
    Infection Length: 34,304 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, OS/2, UNIX, Linux

    technical details

    W32.Yaha.L@mm performs the same actions as W32.Yaha.K@mm, but it contains some unused code. For more details, refer to the W32.Yaha.K@mm writeup.

    removal instructions

    NOTE: If the worm has not run, and your Symantec antivirus product detects W32.Yaha.L@mm either in an email message, or when the worm attempts to run, delete it.

    If the worm has run, do the following:

    • 1. Download the updated virus definitions using the Intelligent Updater, but do not install them.
      2. Restart the computer in Safe mode.
      3. Copy Regedit.exe to Reg.com.

    1. Edit the registry and reverse the changes the worm made.

    • 2. Restart the computer in Normal mode.
      3. Start your Symantec antivirus software. If it does not start or properly function, re-install it.
      4. Install the Intelligent Updater virus definitions you downloaded earlier.
      5. Run a full system scan and delete the files detected as W32.Yaha.L@mm.

    4. Editing the registry and reversing the changes the worm made

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

    • 1. Navigate to and select the following key:


      CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the
      ommand subkey.

      Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
      ommand subkey, shown in the following figure:

      http://home.mindspring.com/~randybell2/Yaha.J_2.gif<<=== NOTE: Modify this key.

      2. In the right pane, double-click the (Default) value.
      3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

      • On Windows 95/98/Millenium and Windows NT systems, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like:

        ""%1" %*"
      • On Windows 2000/XP systems, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like:

        "%1" %*
      • Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this occurs, restart at the beginning of this document, and make sure that you completely remove the current value data.
      4. Navigate in turn to each of the following keys:


      NOTE: The RunServices key may not exist on all the systems.

      5. In the right pane, delete the value

      WinServices C:\%System%\WinServices.exe

      6. Restart the computer.
  2. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    McAfee: W32/Yaha.L

    McAfee Security - W32/Yaha.L

    Name: W32/Yaha.L
    Risk Assessment
    - Home Users: Low
    - Corporate Users: Low
    Date Discovered: 12/30/2002
    Date Added: 12/31/2002
    Origin: Unknown
    Length: 34,304 bytes
    Type: Virus
    SubType: E-mail worm
    DAT Required: 4240

    Virus Characteristics

    The 4239 DAT files will detect this threat as W32/Yaha.gen. Exact detection of W32/Yaha.l was included in the 4240 DAT files. This worm propagates via email using its own built-in SMTP engine. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against a remote machine (the target is hard-coded within the worm).

    The worm arrives as an attachment to a message formatted as follows:

    Subject: (chosen from the following list:)

    • Are you a Soccer Fan ?
    • Are you beautiful
    • Are you the BEST
    • Check it out
    • Demo KOF 2002
    • Feel the fragrance of Love
    • Freak Out
    • Free Demo Game
    • Free rAVs Screensavers
    • Free Screenavers of Love
    • Free Screensavers
    • Free Screensavers 4 U
    • Free Win32 API source
    • Free XXX
    • Hardcore Screensavers 4 U
    • I Love You..
    • Jenna 4 U
    • Learn SQL 4 Free
    • Lovers Corner
    • Need money ??
    • One Hacker's Love
    • One Virus Writer's Story
    • Patch for Elkern.gen
    • Patch for Klez.H
    • Play KOF 2002 4 Free
    • Project Sample Screensavers
    • Sample KOF 2002
    • Sample Playboy
    • Screensavers from Club Jenna
    • Sexy Screensavers 4 U
    • The King of KOF Wanna Brawl ??
    • Things to note
    • Visit us
    • Wanna be a HE-MAN
    • Wanna be friends ?
    • Wanna be friends ?
    • Wanna be like a stone ?
    • Wanna be my sweetheart ??
    • Wanna Hack ??
    • Wanna Rumble ??
    • We want peace
    • Whats up
    • Who is your Valentine
    • World Tour
    • WWE Screensavers
    • XXX Screensavers 4 U

    Attachment: Possible filenames include:

    • Beautifull.scr
    • Body_Building.scr
    • Britney_Sample.scr
    • Codeproject.scr
    • Cupid.scr
    • FixElkern.com
    • FixKlez.com
    • FreakOut.exe
    • Free_Love_Screensavers.scr
    • Hacker.scr
    • Hacker_The_LoveStory.scr
    • Hardcore4Free.scr
    • I_Love_You.scr
    • Jenna_Jemson.scr
    • King_of_Figthers.exe
    • KOF.exe
    • KOF_Demo.exe
    • KOF_Fighting.exe
    • KOF_Sample.exe
    • KOF_The_Game.exe
    • KOF2002.exe
    • Love.scr
    • My_Sexy_Pic.scr
    • MyPic.scr
    • MyProfile.scr
    • Notes.exe
    • Peace.scr
    • Playboy.scr
    • Plus2.scr
    • Plus6.scr
    • Project.exe
    • Ravs.scr
    • Real.scr
    • Romantic.scr
    • Romeo_Juliet.scr
    • Screensavers.scr
    • Services.scr
    • Sex.scrSoccer.scr
    • Sexy_Jenna.scr
    • SQL_4_Free.scr
    • Stone.scr
    • Sweetheart.scr
    • The_Best.scr
    • THEROCK.scr
    • up_life.scr
    • Valentines_Day.scr
    • VXer_The_LoveStory.scr
    • Ways_To_Earn_Money.exe
    • World_Tour.scr
    • xxx4Free.scr
    • zDenka.scr
    • zXXX_BROWSER.exe

    Message Body: Strings within the virus suggest multiple possible message body contents (body contents and attachment filename chosen together):

    did u always dreamnt of hacking ur friends hotmail account..
    finally i got a hotmail hack from the internet that really works..
    ur my best friend thats why sending to u..
    check it..just run it..enter victim's address and u will get the pass.

    check the attached love screensaver
    and feel the fragrance of true love..

    check the attached screensaver..
    its really wonderfool..
    i got it from freescreensavers.com

    check ur friends circle using the attached friendship screensaver..
    check the attached screensaver
    and if u like it send it to all those you consider
    to be true friends... if it comes back to you then
    you will know that you have a circle of friends..

    check the attached screensaver
    and enjoy the world of friendship..

    are u in a rocking mood...
    check the attached scrennsaver and start shaking..

    Check the attached screensaver..

    Are you lonely ??..
    check the attached screensaver and
    forget the pain of loneliness

    Looking for online pals..
    check the attached friend finder software..

    sending you a screensaver..
    checkit and let me know how it is...

    Check the attached screensaver
    and feel the fragrance of true love...

    I just got this wonderfull screensaver from freescreensaver.com..
    Just check it out and let me know how it is..

    Hi,? I just came across it.. check out..??=====================================================================
    Are you one of those unfortunate human beings who are desperately
    looking for friends.. but still not getting true friends with whom
    you can share your everything..

    anyway you wont feel down any more cause GC Chat Network has brought
    up a global chat and online match making system using its own GC
    Messenger. Attached is the fully functional free version of GC
    Instant Messenger and Match Making client..
    Just install, register an account with us and find thousands of online
    pals all over the world..
    You can also search for friends by specific country,city,region etc.

    Regards Admin,
    GC Global Chat Network System..

    So you think you are in love..
    is it true love ? you may think right now that you are in
    true love but it is certainly possible that it is nothing
    but a mere infatuation to you..

    anyway to know yourself better than you have ever known check
    the attached screensaver and feel the fragrance of true love..

    Hey pal,
    you know friendship is like a business...
    to get something you need to give something..
    though its not that harsh as business but to
    get love and care from your friends you need to give
    love,care and respect to your friends.. right{BR>
    check the attached screensaver and you will learn how to
    make your friends happy..

    Its quite obvious that in our life we have numerous friends
    but.. BUT Best Friend can only be ONE.. right {BR>so can you decide who is your best friend {BR>i guess not.. cause mostly you will find that your best friend
    wont care about u like somebody else..

    anyway i found one way to find who is my best friend..
    check it..
    just check the attached screensaver.. answer some questions
    in it and also ask your best friend to answer the questions..

    ..then you will know more about him..

    Hey pal,
    wanna have some fun in life... {BR>feel like life is too boring and monotonous..
    check the attached screensaver and bring colours
    to your black & white life.. :)

    I just came across this funny screensaver..
    sending it to u.. hope u like it..
    check out and die laughing.. :)


    This E-Mail is never sent unsolicited. If you receive this
    E-Mail then it is because you have subscribed to the official
    newsletter at the KOF ONLINE website.

    King Of Fighters is oneof the greatest action game ever made.
    Now after the mind boggling sucess of KOF 2001 SNK proudly
    presents to you KOF 2002 with 4 new charecters.

    Even though we need no publicity for our product but this
    time we have decided to give away a fully functional trial
    version of KOF 2002. So check out the attached trial version
    of KOF 2002 and register at our official website toget a free
    copy of KOF2002 original version

    Best Regards,
    Admin,KOF ONLINE..


    I just came across your email ID while searching in the Yahoo profiles.
    Actually I want a true friend 4 life with whom I can share my everything.
    So if you areinterested in being my friend 4 life then mail me.

    If you wanna know about me, attached is my profile along with some of my
    pics. You can check and if you like it then do mail me.
    I will be waiting for your mail.

    Best Wishes,
    Your Friend..

    Looking for some Hardcore mind boggling action ?
    Install the attached browser software and browse
    across millions of paid hardcore sex sites for free.
    Using the software you can safely and easily browse
    across most of the hardcore XXX paid sites across the
    internet for free. Using it you can also clean all
    traces of your web browsing from your computer.

    Note:The attached browser software is made exclusivley
    for demo only. You can use the software for a limited
    time of 35 days after which you have to register it
    at our official website for its furthur use.


    Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files.

    Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it.

    We developed this free immunity tool to defeat the malicious virus.

    You only need to run this tool once,and then Klez will never come into your PC

    The attached product is send as a part of our official campaign
    for the popularity of our product.
    You have been chosen to try a free fully functional sample of our
    product.If you are satifiedthen you can send it to your friends.
    All you have to do is to install the software and register an account
    with us using the links provided in the software. Then send this software
    to your friends using your account ID and for each person who registers
    with us through your account, we will pay you $1.5.Once your account reaches
    the limit of $50, your payment will be send to your registration address by
    check or draft.

    Please note that the registration process is completely free which means
    by participating in this program you will only gain without loosing anything.

    Best Regards,

    The virus contains the following strings (similar to previous Yaha variants):

    ?teRminAtioN oF aV + FireWaLL f0r sUrvIvaL.
    ?tImE dEfiNed tRigErRinG.. jUst f0r fUn.. n0 paYloaD.
    ?c0ntAinS bUg iN rEpliCation c0de.. no tIme t0 fiX.

    Indications of Infection

    The virus copies itself into the Windows System directory (eg. C:\WINDOWS\SYSTEM) multiple times, using the following filenames:

    • TCPSVS32.EXE

    System startup is hooked by adding the following Registry keys:

    "WinServices"= C:\WINDOWS\SYSTEM\WinServices.exe

    "WinServices" = C:\WINDOWS\SYSTEM\WinServices.exe

    The subsequent execution of EXE files is also hooked, via modifying the following key:

    ommand "(Default)"
    which is changed from:

    "%1" %*


    In testing on NT/2000 systems, the virus was observed to make copies of itself in the Windows System directory using a filename from the following list:

    • hotmail_hack.exe
    • friendship.scr
    • world_of_friendship.scr
    • shake.scr
    • Sweet.scr
    • Be_Happy.scr
    • Friend_Finder.exe
    • I_Like_You.scr
    • love.scr
    • dance.scr
    • GC_Messenger.exe
    • True_Love.scr
    • Friend_Happy.scr
    • Best_Friend.scr life.scr
    • colour_of_life.scr
    • friendship_funny.scr
    • funny.scr

    The virus terminates processes those matching the following (the list is hard-coded within the virus):

    • _AVP32
    • _AVPCC
    • _AVPM
    • ACKWIN32
    • AMON.EXE
    • ATRACK
    • AVP.EXE
    • AVP32
    • AVPM.EXE
    • CFINET
    • CFINET32
    • F-AGNT95
    • F-PROT95
    • F-STOPW
    • FP-WIN
    • FRW.EXE
    • IAMAPP
    • ICMON
    • IOMON98
    • LOCKDOWN2000
    • LUALL
    • MCAFEE
    • N32SCANW
    • NAVAPW32
    • NAVLU32
    • NAVW32
    • NAVWNT
    • NISUM
    • NMAIN
    • NOD32
    • NORTON
    • NPSSVC
    • NRESQ32
    • NSCHED32
    • NVC95
    • PCCWIN98
    • POP3TRAP
    • PVIEW
    • PVIEW95
    • RESCUE32
    • SCAN32
    • SWEEP95
    • TDS2-98
    • TDS2-NT
    • VET95
    • VSHWIN32
    • VSSTAT

    Method of Infection

    The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).

    The virus tries to gather email addresses from MAILTO links within *ht*, and *HoTMaiL* files, the Windows Address Book, MSN Messenger contacts, Yahoo Pager contacts. Messages are sent to the addresses found as mentionned above, using SMTP. The default SMTP server is retrieved from the registry:

    [*]HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts

    Removal Instructions

    Use current engine and DAT files for detection and removal.

    Once infected, VirusScan may not be able to run as the virus can terminate the process before any scanning/removal is accomplished.

    This can make the removal of the virus more difficult for users. As such, AVERT has released a removal tool to assist infected users with this virus.

    Alternatively, the following steps will circumvent the virus and allow for proper VirusScan scanning/removal, by using the command-line scanner.

    • 1. Ensure that you are using the minimum DAT (specified above) or higher
      2. Close all running applications
      3. Disconnect the system from the network
      4. Click START | RUN, type command and hit ENTER
      5. Change to the VirusScan engine directory:
      • Win9x/ME - Type cd \progra~1
        and hit ENTER
      • WinNT/2K/XP - Type cd \progra~1
        and hit ENTER

      6. Type scan.exe /adl /clean and hit ENTER
      7. After scanning and removal is complete, reboot the system and reconnect to the network

    Additional Windows ME/XP removal considerations

    I-Worm.Lentin.j (AVP), W32.Yaha.L@mm (Symantec), W32/Lentin.L (Panda), W32/Yerh.A (F-Prot)
  3. Chuck57

    Chuck57 Registered Member

    Sep 2, 2002
    New Mexico, USA
    THANK YOU, Randy. I read your posts before I checked my email, and found 8 in my mailbox, either the K or L version.

    More than likely my AV would have caught them had I opened the attachments, from a close friend, but I played it safe and deleted them. Next step is to email the friend and tell her that might have a bug in her system.

    Thank you again, and keep up the good work and warnings.
  4. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    Panda: W32/Lentin.L

    Panda Virus Encyclopedia - W32/Lentin.L

    Common name: Lentin.L
    Technical name: W32/Lentin.L
    Threat level: Very low
    Type: Worm
    Effects: It terminates processes belonging to antivirus programs and firewalls, among others.
    Systems affected: Windows XP/2000 Pro/NT/Me/98/95
    First appeared on: Dec. 29, 2002
    In circulation? No

    Brief Description

    Lentin.L is a worm that reaches computers in a file attached to an e-mail message with variable characteristics.

    The effects of Lentin.L are considered dangerous because:

    • It spreads rapidly via e-mail.
      It terminates several processes in affected computers, which causes, among others, antivirus programs and firewalls to stop.

    Visible Symptoms

    There is no clear indication that Lentin.L has reached your computer.

    It is also difficult to identify the messages carrying Lentin.L, as their characteristics vary each time. The name of the attached file that carries out the infection is selected at random from a list and has an SRC, EXE or COM extension.

    For a list of the possible names of the attached file carrying Lentin.L, click here.


    Lentin.L terminates several processes corresponding to antivirus programs and Firewalls in affected computers, if they are active. The processes are:


    Means of infection

    Lentin.L creates the following files in the Windows system directory:


    These files contain the worm’s code.

    Lentin.L also creates copies of itself in the Windows system directory under names selected at random from the following list:


    Lentin.L creates the following entries in the Windows Registry:

    • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run WinServices.exe C:\ %System%\ WinServices.exe
      HKEY_LOCAL_MACHINE\ Software\Microsoft\ Windows\ CurrentVersion\ RunServices WinServices.exe C:\ %System%\ WinServices.exe

    With this entry, Lentin.L ensures that it is run every time Windows is started.

    • HKEY_LOCAL_MACHINE\ Software\ Classes\ exefile\ shell\ open\ command

    The following value is applied to this entry: %System%\ WinServices.exe"%1 %*. By doing this, Lentin.L configures itself every time a file with an EXE extension is run.

    Means of transmission

    Lentin.L mainly uses e-mail to spread. Lentin.L reaches computers hidden in an e-mail message with variable characteristics:

    • Subject: Variable. For a list of the possible subjects of the e-mail messages carrying Lentin.L, click here.
      Message: Variable. For a list of the possible content of the e-mail messages carrying Lentin.L, click here.
      Attachments: Variable. For a list of the possible names of the files carrying Lentin.L, click here.
      Sender: Variable. For a list of the possible senders of the e-mail messages carrying Lentin.L, click here.

    Lentin.L uses it own SMTP engine to send infected e-mail messages to all the contacts in the Windows, MSN Messenger, .NET Messenger and Yahoo Pager Address Books, and the addresses it finds in the files with an HT extension.

    Lentin.L tries to use the default SMTP server address in the infected computer to send out the e-mail messages, but if it does not find the necessary information, it uses one of the many SMTP server addresses contained in its code.

    Other Details

    Lentin.L is written in the programming language C++. The file that carries out the infection is compressed with UPX and is 34,304 bytes in size.

    Is my computer infected by Lentin.L?

    In order to make absolutely sure that Lentin.L has not infected your computer, you have the following options:

    A. Carry out a full scan of your computer using Panda Antivirus, after checking that it is updated. If it isn't and you are a registered Panda Software client, update it by clicking here.

    B. Check the computer with Panda ActiveScan, Panda Software's free, online scanner, which will quickly detect any possible viruses.

    How to remove Lentin.L

    Above all, if you have received a message with any of the characteristics described in the section Means of transmission, do not run the attached file and delete the message, making sure that you also delete it from the Deleted Items folder.

    If your Panda Antivirus or Panda ActiveScan detects Lentin.L during the scan, it will automatically offer you the option of deleting it. Do this by following the programs instructions.

    In order to restore the original configuration of your computer, follow the steps below:

    • Delete the entries that this worm has inserted in the Windows Registry:

      • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
        WinServices.exe C:\ %System%\ WinServices.exe

        HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices
        WinServices.exe C:\ %System%\ WinServices.exe

        HKEY_LOCAL_MACHINE\ Software\ Classes\ exefile\ shell\ open\ command
        %System%\ WinServices.exe"%1 %*

      If you cannot access the Windows Registry, restart your computer in safe mode, then, rename the REGEDIT.EXE and call it REGEDIT.COM. Run REGEDIT.COM and delete the entries that the worm has inserted in the Windows Registry. Finally changes the file name back to REGEDIT.EXE.
    • Restart your computer.

    Additional notes:

    • For instructions on how to modify the Windows Registry, click here.

      If your computer has Windows Millennium or Windows XP installed, click here to permanently remove all trace of the virus.

    How to protect your computer from Lentin.L

    In order to keep your computer protected, bear the following tips in mind:

    • If you have filtering tools installed, configure them to reject messages with the characteristics described in the section Means of transmission. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
    • Install a good antivirus in your computer. Click here to get the Panda antivirus solution that best suits your needs.
    • Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
    • Keep your permanent antivirus protection enabled at all times.

    For more detailed information about how to protect your computer against viruses, click here.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.