Another reason to ensure that the Recycle bin is Not listed in the antivirus programs exclusion list. W32.Yaha.F@mm is a mass-mailing worm that sends itself to all email addresses that exist in the Microsoft Windows Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain the letters ht. The worm randomly chooses the subject and body of the email message. The attachment will have a .bat, .pif or .scr file extension. Depending upon the name of the Recycled folder, the worm either copies itself to that folder or to the %Windows% folder. Reference Urls: http://www.symantec.com/avcenter/venc/data/w32.yaha.f@ mm.html http://vil.nai.com/vil/content/v_99528.htm http://www.trendmicro.com/pc-cillin/vinfo/virusencyclo /default5.asp?VName=3DWORM_YAHA.E (this url Will wrap) http://www.Europe.f-secure.com/v-descs/yaha_e.shtml Technical Details (borrowed from Symantec) If W32.Yaha.F@mm runs, it does the following: It attempts to send itself to all email addresses that exist in the Windows Address Book file, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files with extensions that contain the letters "ht". The email addresses are then stored in the file \%Windows%\<four random letters>b.dll For example, if the four random letters are efgh, then the file name will be \%Windows%\Efghb.dll. NOTE: %Windows% is a variable. The worm locates the \Windows folder (by default this is C:\Windows or C:\Winnt) and copies itself to that location. The worm masks its activity by displaying the several strings of text, and then causing the Windows desktop to appear to shake. This is done to make it look like a screen saver. The displayed text strings are: U r so cute today #!#! True Love never ends I like U very much!!! U r My Best Friend Email routine details When the worm runs its email routine, it chooses the URL that it is supposed to have originated from by merging a string from the following set of strings: screensaver, screensaver4u, screensaver4u, screensaverforu, freescreensaver, love, lovers, lovescr, loverscreensaver, loversgang, loveshore, love4u, lovers, enjoylove, sharelove, shareit, checkfriends, urfriend, friendscircle, friendship, friends, friendscr, friends, friends4u, friendship4u, friendshipbird, friendshipforu, friendsworld, werfriends, passion, bullsh*tscr, shakeit, shakescr, shakinglove, shakingfriendship, passionup, rishtha, greetings, lovegreetings, friendsgreetings, friendsearch, lovefinder, truefriends, truelovers, or f*cker with: .com, .org, or .net For example, it might name the URL Screensaver.com. Subject W32.Yaha.F@mm randomly chooses the subject from the following strings: "Fw: ", " ", ":-)", "!", "!!", "to ur friends", "to ur lovers", "for you", "to see", "to check", "to watch", "to enjoy", "to share", "Screensaver", "Friendship", "Love", "relations", "stuff", "Romantic", "humour", "New", "Wonderfool", "excite", "Cool", "charming", "Idiot", "Nice", "Bullsh*t", "One", "Funny", "Great", "LoveGangs", "Shaking", "powful", "Joke", "Interesting", "U realy Want this", "searching for true Love", "you care ur friend", "Who is ur Best Friend ", "make ur friend happy", "True Love", "Dont wait for long time", "Free Screen saver", "Friendship Screen saver", "Looking for Friendship", "Need a friend?", "Find a good friend", "Best Friends", "I am For u", "Life for enjoyment", "Nothink to worryy", "Ur My Best Friend ", "Say 'I Like You' To ur friend", "Easy Way to revel ur love", "Wowwwwwwwwwww check it", "Send This to everybody u like", "Enjoy Romantic life", "Let's Dance and forget pains", "war Againest Loneliness", "How sweet this Screen saver", "Let's Laugh ", "One Way to Love", "Learn How To Love", "Are you looking for Love", "love speaks from the heart", "Enjoy friendship", "Shake it baby","Shake ur friends", "One Hackers Love", "Origin of Friendship", "The world of lovers", "The world of Friendship", "Check ur friends Circle", "Friendship", "how are you", "U r the person?", "Hi", or "=AF" Message The message will be: <HTML><HEAD></HEAD><BODY> followed by: <iframe src=3D3Dcid:[SomeCID] height=3D3D0 width=3D3D0></iframe> or [nothing] This is followed by: <FONT></FONT> followed by: . . followed by: Check the attachment or See the attachement or Enjoy the attachement or More details attached followed by: <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> or This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:[Infected User's e-mail Address] For further assistance, please contact < postmaster@[URL constructed above] > If you do so, please include this problem report. You can delete your own text from the message returned below. Copy of your message, including all the headers is attached NOTE: In this case, the e-mail attachment will be an eml file that will contain the worm as an attachment. or Hi Check the Attachement .. See u or Hi Check the Attachement .. or Attached one Gift for u.. or wOW CHECK THIS followed by: <Infected Computer's Username> ----- Original Message ----- From: "Random string from above]" < [Random string from above]@[URL constructed above] > To: < [Infected User's e-mail Address] > Sent: [Infection date and time] Subject: [Subject constructed above] This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. ****************************************************** ***** Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from www.[URL constructed above] to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends. * To remove yourself from this mailing list, point your browser to: http://[URL constructed above]/remove?freescreensaver * Enter your email address ([infected user's e-mail address]) in the field provided and click "Unsubscribe". OR... * Reply to this message with the word "REMOVE" in the subject line. This message was sent to address [infected user's e-mail address] X-PMG-Recipient: [Infected Username] <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> The message closes with: </BODY></HTML> Attachment The attachment name is constructed from the following file names: loveletter resume biodata dailyreport mountan goldfish weeklyreport report love followed by: .doc .mp3 .xls .wav .txt .jpg .gif .dat .bmp .htm .mpg .mdb .zip with one of the following extensions: .pif .bat .scr The worm uses its own SMTP Engine. It attempts to use the infected computer's default SMTP server to send mail. If it cannot find that information, then it uses one of many SMTP server addresses that are hardcoded into the worm. NOTE: None of the above mass-mailing characteristics could be reproduced in the lab environment. Additional functions In addition to the mass-mailing routine, the worm does the following: It will attempt to terminate Anti-Virus and Firewall processes. It randomly uses the "Incorrect MIME header" exploit, which allows automatic execution of the worm on unpatched systems. Depending upon the name of the Recycled folder, the worm copies itself to either that folder or to the \%Windows folder. The file name consists of six random numbers. The worm configures itself to execute each time that an .exe file is executed by changing the default value of the registry key HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open \command to [WormName]" %1 %* It also creates a randomly named text file in the Windows folder; for example, [Random File Name].txt. The file contains the following text: <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> iNDian sNakes pResents yAha.E iNDian hACkers,Vxers c0me & w0Rk wITh uS & f*Ck tHE GFORCE-pAK shites bY sNAkeeYes,c0Bra <<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> To remove this worm: 1. If the worm has already run, you must first reverse the change that the worm made to the registry. If the worm has not run, go to step 2. a. Configure Windows to show all files. b. Copy Regedit.exe to Regedit.com (in most cases). c. Edit the registry and reverse the change that the worm made. 2. Update the virus definitions, run a full system scan, and delete all files that NAV detectsas W32.Yaha.F@mm. For detailed instructions on how to do this, see the sections that follow. To configure Windows to show all files: 1. Start Windows Explorer. 2. Click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000/XP), and then click Options or Folder options. 3. Click the View tab. 4. Uncheck "Hide file extensions for known file types." 5. Do one of the following: Windows 95/NT: Click "Show all files." Windows 98: In the Advanced settings box, under the "Hidden files" folder, click Show all files. Windows Me/2000/XP: Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders." 6. Click Apply, and then click OK. To copy Regedit.exe to Regedit.com: Because the worm modified the registry so that you cannot run .exe files, you must first make a copy of the Registry Editor as a file with the .com extension, and then run that file. 1. Do one of the following, depending on which version of Windows you are running: Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt. Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. Windows NT/2000/XP: a. Click Start, and click Run. b. Type the following and then press Enter: command A DOS window opens. c. Type the following and then press Enter: cd \winnt d. Proceed to the next step. 2. Type the following and then press Enter: copy regedit.exe regedit.com 3. Type the following and then press Enter: start regedit.com The Registry Editor will open in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window, as well. 1. Proceed to the next section, "To edit the registry and remove keys and changes made by the worm," only after you have accomplished the previous steps. To edit the registry and reverse the change that the worm made: CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions. 1. Navigate to and select the following key: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open \command CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the \command subkey. 2. In the right pane, double-click the (Default) value. 3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.) NOTE: Registry Editor will automatically enclose the value in quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*" Make sure that you completely delete all value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document, and make sure that you completely remove the current value data. 4. Restart the computer. 5. If you have not already done so, run Live Update, and then run a full system. ~*~*~*~*~ To unsubscribe from our list send an email to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe. For a complete list of email commands for our list send an email to ecartis@xxxxxxxxxxxxx with a subject line of "info hackfix-virusnews" without the quotes. ~*~*~*~*~