Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version)

Discussion in 'NOD32 version 1 Forum' started by sylvia edwards, Jan 10, 2003.

Thread Status:
Not open for further replies.
  1. Hi Whilst looking for references to a malfunctioning program( in order to remove & reinstall), I came across a key with Win32/Yaha.k@mm. This was in h-key-current-user\software\microsoft\windows\currentvesion\explorer\docfindspecmru. I keep nod32 antivirus running, (PCuser copy automatically updated & fully configured to as thorough as possible) so I can only assume this has got past it Think it may have come in thru a Hotmail message which my son in law uses on occassions when he is visiting, however I always delete all his hotmail emails & cookies as soon as I boot up. Help please as I cant find a reference to this particular version on you virus listings. I run windows 95
    regards Sylvia
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Hi Sylvia,

    Does the registry key found equals the one(s) mentioned over here? Although I'm fairly sure your system is not infected, visit the "viruses and worms" forum; you'll find several links to checking/cleaning freeware software to double check.

    Before doing so, I recommend performing a free in on line scan - preferably to Panda scan as can be found on our free services page.

    Please post the result(s).

    regards.

    paul
     
  3. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Yaha.k is detected as Yaha.N by NOD32. I know this for certain because I had friend send it to me so we could see what NOD calls it. NAV detects it Yaha.k. Yaha has caused mass confusion in the naming of the variants by the various av companies. You should not be infected as it IS detected by NOD.

    KAV name: I-Worm.Lentin.i
    NAV: W32.Yaha.K@mm
    McAfee: W32/Yaha.k

    __________ NOD32 1.339 (20021230) Notification __________

    Warning, NOD32 Antivirus System has found the following infiltrations in the message:
    I-Worm.Lentin.i.zip - Win32/Yaha.N worm
    I-Worm.Lentin.i.zip > ZIP > life.scr - Win32/Yaha.N worm - error while cleaning - operation unavailable for this type of object
    I-Worm.Lentin.i.zip > ZIP > love.scr - Win32/Yaha.N worm - error while cleaning - operation unavailable for this type of object
    KAV name: I-Worm.Lentin.i
    NAV: W32.Yaha.K@mm
    McAfee: W32/Yaha.k

    __________ NOD32 1.339 (20021230) Notification __________

    Warning, NOD32 Antivirus System has found the following infiltrations in the message:
    I-Worm.Lentin.i.zip - Win32/Yaha.N worm
    I-Worm.Lentin.i.zip > ZIP > life.scr - Win32/Yaha.N worm - error while cleaning - operation unavailable for this type of object
    I-Worm.Lentin.i.zip > ZIP > love.scr - Win32/Yaha.N worm - error while cleaning - operation unavailable for this type of object


    We need a better method for naming viruses. See this thread at DSLR.
    http://www.dslreports.com/forum/remark,5573808~root=security,1~mode=flat
     
  4. Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    pandascan took forever to download & was taking an age to scan so have stopped it (using too much of my online time ) & downloaded a cleaning tool from symantec site in case I need it. Thanks very much for your prompt reply
    regards Sylvia
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Silvia,

    That's up to you, of course - merely a double check.

    My pleasure.

    Mele,

    You are absolutely right here ;).

    regards.

    paul
     
  6. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    It sounds like you found the remnants a partially-cleaned (or partially-installed) Yaha infection. Unlike many antivirus programs, NOD32 (by design) ignores such crud. If it's not a live virus, we don't tag it.

    You could be right about Hotmail. It's a trap for the unwary. Reading your "email" is like reading a webpage ... all kinds of gunk is downloaded to temporary folders on your hard drive ... including malicious scripts.
     
  7. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    But the real issue here is being ignored. That is the problem of naming viruses especially since the Yaha varients. When are the virus companies, especially Eset because Eset has been notorious for not following the naming conventions, going to do something about thiso_O? This user has been unnecessarily worried about this because of naming confusion. This confusion has become so critical that over at DSLR several members are trying to get together a "sticky" for the security forum because no one knows which varients are detected by their av company and which aren't and which are which, etc.

    There is NOTHING about Yaha on any Eset site. Yaha should be discussed on the sites and all varients should be listed and the equivelent of the names used by the other companies should be there too so that users can see what they are protected against and on what dates they got this protection. Plus, of course, the companies are going to have get together and do something about this ridiculous naming situation as it dangerous for us all for it to be left in the muddle that describes the current situation. (It is a bit ridiculous that we users have to resort to such measures as having virsuses sent around so that we can try and sort out the naming!
     
  8. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    > But the real issue here is being ignored. That is the problem of naming viruses especially since the Yaha varients.

    This has been going on for years Mele. Traditionally, antivirus vendors avoid naming a virus whatever the coder called it ... but apart from this there is no universal naming agreement.

    Who gets naming rights ? The first vendor to bust a new sample and release an update ? In many cases, updates are released within minutes of each other. Who surrenders his name ?

    > When are the virus companies, especially Eset because Eset has been notorious for not following the naming conventions, going to do something about thiso_O?

    Conversely, one could ask "Why, when Eset is first to name a virus, do other antivirus vendors not adhere to this nomenclature ?"

    Variant sub-tags are added by vendors in order of receipt. If Eset already has updates posted for Yaha variants ".a" to ".m", the next variant discovered becomes "Yaha.n". Why should we rename this variant "Yaha.k" (and change our "Yaha.k" to "Yaha.n") because another vendor is lagging behind in detection ? Because the other vendor is bigger ? Hah! In this game, "bigger" does not mean "better"!!!

    Here is a perfect example of "Big Name" antivirus vendor advertising hype .......

    NOD32 was the first antivirus program in the world to detect CIH ... heuristically, as an unknown virus. The Eset gnomes named it "CIH" after the author (Chen Ing-hau) whose name appeared in the code. The virus was universally known as "CIH" until some marketroid decided that, because some variants triggered on the anniversary of the Chernobyl nuclear plant disaster, "Chernobyl" would be a "catchier" name. Today, despite the fact that the author himself has stated that his virus had nothing whatsoever to do with Chernobyl, the media almost always refers to it as "Chernobyl".

    > There is NOTHING about Yaha on any Eset site.

    There is nothing about most viruses on any Eset site Mele. The prime directive at Eset is "Find new viruses and find them fast!", and this priority has maintained NOD32 as the #1 virus detector in the world for the past five years. It would be nice to have a classy and comprehensive virus encyclopedia online, but but accurately translating many thousands of virus descriptions from Slovak into English, French, Italian, Spanish, German, Japanese, etc, is an enormous, expensive, and time-consuming task. We hope to have our virus encyclopedia completed and ready to Rock'n'Roll by March this year ... but no guarantees.
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Mele,

    The one and only issue on this thread is the one Silvia has posted.

    Naming viruses difderentely is by far a perogative from Eset; all major antivirus companies use different names - please don't blame Eset for this ;)

    Eset has posted over here they will address info on viruses a while ago. As for the moment, NOD32 version 2 coming up, priorities are focussed on the new version - and rightly so in my opinion ;).

    regards.

    paul
     
  10. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    I'm really disappointed in both of you. I could rebut your arguments, Rod, as you have made erroneous statements as well as thrown out some red herrings. Paul, you just automatically jump on anyone who tries to discuss any possible shortcomings that NOD might have.

    I can see, from both your attitudes, that rebutting your arguments, in the hopes of generating a much needed serious discussion of this matter, would be a waste of my time as you don't want the light shown on this problem. It appears to me that Eset does not have the best interests of its users or of the internet as a whole as its goal. This is not to imply that other av vendors are any better. The vendors are going to have to get together and work this naming problem out...if they truly care about their users and the over all good of the internet.

    For those interested in learning more about this serious problem:

    http://www.messagelabs.com/viruseye/report.asp?id=123

    http://www.zdnet.com/anchordesk/stories/story/0,10738,2907878,00.html

    http://www.dslreports.com/forum/remark,5573808~root=security,1~mode=flat


    Added URL tags
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Mele20,

    Apart from being offtopic, I don´t think this is the way you want to treat people answering your questions.

    Also, I´m not sure what you are trying to achieve. Should every AV company, detecting a new virus, arrange for a conference to be held, so they can agree on a name before adding it to their definitions? o_O
    I think that would be a waste of time.

    Regards,

    Pieter
     
  12. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    >Also, I´m not sure what you are trying to achieve. Should every AV company, detecting a new virus, arrange for a conference to be held, so they can agree on a name before adding it to their definitions?

    Obviously, you didn't read the links i gave or you wouldn't be asking that question. As for not wanting to treat people who answer my questions in such a manner....I really don't understand what you are getting at. I'm not in a charitable mood toward NOD at the moment. Last night, NOD scanner deleted the entire contents of my Sent items folder in OE as well as the entire contents of my deleted items folder. The sent items folder had over 2000 messages saved for over two years. The only content on my computer that I truly care about is what is in my email folders.

    Thanks to this lousy beta version, which is not ready to be a PUBLIC beta as it is more like an early beta build, I have lost most of those emails. I do have a backup, but it is not completely current. Of course, I should have backed it up again since I was beta testing. However, the program I am using is brand new and has no help file so it's a bit confusing and that is why I haven't tried backing up since the first time I did it about a month ago.

    I have done a fair amount of beta testing and a public beta is usually not very buggy. That is not true though of this NOD32 beta which is horribly buggy. Had I known that in the beginning I wouldn't have touched it. I never asked NOD to do anything other than delete an infected email. I'm angry and fed up. I think, under the circumstances, that I am being quite civil.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    I have read through the links you provided.

    Quote from Messagelabs

    "In an ideal world, everyone would get together and sort out the confusion. However, for various reasons this does not always happen, and has not currently happened this time."

    Quote from ZDNet

    "With all these variations, it's important that antivirus vendors agree to use the same name, so we all know which threat we're talking about. Otherwise, how will we know if we are protected?"

    Quote from your post at DSLR

    "I think we should all ask our respective AV providers to agree to use the same name in identifying viruses and their variants."

    OK. Maybe a conference was exaggerating, but you´ll have to agree that this would cost precious time.

    I´m sorry to hear (and understand that you are upset) about your mail folders, but again fail to see what it has to do with the topic of this thread or the naming of viruses.

    Regards,

    Pieter
     
  14. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Use the current version of NOD32!!!!

    So did I(maybe more then you). But I found that any software at beta stage is very buggy!

    Beta on my PC works perfectly! One more reason for you to use the current version!

    This is my suggestion in regards to virus description (encyclopedia) etc:
    If you what to have a nice and rich virus description then go with Norton or Mcafee!
    If you want to have an excellent virus protection then go with NOD32! You can't have it both! Anyways, as ESET people said this should be fixed to some degree!


    Technodorme
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    So you mean you haven't backed up your e-mails for two years, and now your blaming a beta version of Nod32 for destroying them (and I'm not even going to get into whether these claims are warranted)?

    If you're going to do any kind of beta-testing, be prepared for strange things to happen, and make sure you have everything backed up, especially as "the only content on your computer that you truly care about is what is in your email folders."

    Although I do very little beta testing myself, I sure have everything imaginable backed up, up to my Favorites, Cookies, e-mail settings, messages, Message rules, you name it.
     
  16. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Hi Mele20,

    I understand you point but that's a dream.

    Already a great improvement from ESET in the past year : al least the name is generic if not the variant, it was not so before.

    The same apply with trojans : see the name in TrojanHunter comparing with other well known AT for instance.

    AV/AT developpers are competitors eager to add definitions in their DB as soon as possible to stay on top and no time to chat with each other about the names.

    What I see is that ESET is always among the fastest when a new treat occurs and that's what is the most important AFM.

    My wish would be that a DB of different aliases were maintained, at least for ICSA
    products but i reckon it's not for tomorrow : it's an enormous work and not the work
    of AV/AT developpers.

    Maybe an opportunity for you ? (J/K)
     
  17. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    > I could rebut your arguments, Rod, as you have made erroneous statements as well as thrown out some red herrings.

    What erroneous statements ?

    What red herrings ?
     
  18. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    > Last night, NOD scanner deleted the entire contents of my Sent items folder in OE as well as the entire contents of my deleted items folder.

    Thousands of people are currently testing the v2 beta.

    No-one else has reported anything similar.

    You may be the only person in the world to have found this serious bug!

    On the other hand, your email deletion problem may not be down to NOD32 at all.
     
  19. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    I am absolutely positive that NOD did this. Now, I am not positive that I didn't inadvertently hit some wrong button as I find NOD to be difficult to use. It is not anything like the interface for NAV or McAfee and I found those very easy to use. I don't appreciate your sarcasm. If I hit a wrong button your sarcasm doesn't help me figure out what I did wrong so that I don't do it again! If you are interested in the details of how this ocurred you can find it at this thread:
    http://www.wilderssecurity.com/showthread.php?t=6186

    After reading my posts there perhaps you can tell me what I did wrong instead of blowing hot air which may make you feel better because you are angry at me, but doesn't help me figure what happened and why.
     
  20. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    I see no sarcasm in my response, Mele ... nor anything to indicate that I was angry at you.

    Feel free to criticize NOD32 if you have facts to back up your criticisms ... but I neither need nor deserve your personal insults.
     
  21. Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    :D

    Gee, it shouldn' get ugly like this...

    Well, anyway. The "Name Game" can get confusing.. When I had a friend of mine infected with Yaha (who knows what the variant was) he bought NOD32 at my urging and I removed it..

    I wanted to find out more about the virus. This is where the fun begins.. Who do I look for? I went to Symantec, and it was pretty informative, but also, I start realizing, I deleted the virus because I turned of system restore and worked NOD32, not because I read Symantec's site.. NOD32 is hailed as a great DETECTOR, and as a detector, installed on a virus free enviroment, it's beautiful! It did it's job on my friend's machine, but I think NOD did not clean up some registry entries (I said I think..)... because I also installed Regcleaner and it found some wierd entries (I can't remember what they were, this was 3 months ago)

    There is a point Mele20 made which I think should be amplified, not to hurt anyone's feelings but to express an idea. In April of 2002 when I was looking to buy an AV, I almost passed on NOD32 because their website was the "poorest" in terms of information on viruses.. Their encyclopedia is practically non existant. That gave me the feeling that either they just openned their company, or they were in trouble.. Then I emailed Larry McJannett, the American rep, who basically didn't have much to say. I understand Rodzilla's point about priorities, especially in writing out the definations taking a long time, and the folks at ESET spending their time fighting viruses, not writing about them.. I already figured that out, that's why I am a client., and refer others to NOD32. However, you folks may lose business you never knew you had.. Even a link to a generic anti virus encyclopedia (I don't know of any) may help), or March of 2003 may be the of the Really NEW NOD32! (New Version, New website design)
    BTW, In use Rod's site almost exclusively. It's got more, and there's some "FUN" reading in it, too!
     
  22. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Mele,

    Obviously your feel the need to rant; so be it. As has been posted over here many times before: using a Beta version is bound to come accross possible problems, and - as posted over here as well - should wisely be done on a test system. It has been your choice and yours alone to test drive the Beta on your main system. You can hardly blame Eset for that.

    As for (possible!) bugs regarding the Beta: Eset has posted a dedicated thread they will use tested and confirmed bugs to iron out before going Gold.

    regards.

    paul
     
  24. mrtwolman

    mrtwolman Eset Staff Account

    Joined:
    Dec 5, 2002
    Posts:
    613
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    It does exist: http://www.virusbtn.com/resources/vgrep/index.xml - Project Vgrep
     
  25. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Re:Win32/Yaha.k@mm not detected by current updared copy of nod32 (PCUser version

    Wow, mrtworlman, thanks for the link! I hadn't noticed that before on the VB site.
     
Thread Status:
Not open for further replies.