Symantec Security Response - W32.Yaha.L@mm (firstname.lastname@example.org) W32.Yaha.L@mm is a worm that is a variant of W32.Yaha.K@mm. The differences between the variants do not visibly manifest themselves, so the characteristics of each will be the same. Type: Worm Infection Length: 34,304 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Macintosh, OS/2, UNIX, Linux technical details W32.Yaha.L@mm performs the same actions as W32.Yaha.K@mm, but it contains some unused code. For more details, refer to the W32.Yaha.K@mm writeup. removal instructions NOTE: If the worm has not run, and your Symantec antivirus product detects W32.Yaha.L@mm either in an email message, or when the worm attempts to run, delete it. If the worm has run, do the following: 1. Download the updated virus definitions using the Intelligent Updater, but do not install them. 2. Restart the computer in Safe mode. 3. Copy Regedit.exe to Reg.com. 1. Edit the registry and reverse the changes the worm made. 2. Restart the computer in Normal mode. 3. Start your Symantec antivirus software. If it does not start or properly function, re-install it. 4. Install the Intelligent Updater virus definitions you downloaded earlier. 5. Run a full system scan and delete the files detected as W32.Yaha.L@mm. 4. Editing the registry and reversing the changes the worm made CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions. 1. Navigate to and select the following key: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open ommand CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the ommand subkey. Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open ommand subkey, shown in the following figure: http://home.mindspring.com/~randybell2/Yaha.J_2.gif<<=== NOTE: Modify this key. 2. In the right pane, double-click the (Default) value. 3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.) NOTES: On Windows 95/98/Millenium and Windows NT systems, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like: ""%1" %*" On Windows 2000/XP systems, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like: "%1" %* Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this occurs, restart at the beginning of this document, and make sure that you completely remove the current value data. 4. Navigate in turn to each of the following keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices NOTE: The RunServices key may not exist on all the systems. 5. In the right pane, delete the value WinServices C:\%System%\WinServices.exe 6. Restart the computer.