hackfix-virusnews: Virus warning ~ Yaha.mm/worm
- From: "Christy" <snowz@xxxxxxxxxx>
- To: hackfix-virusnews@xxxxxxxxxxxxx
- Date: Tue, 25 Jun 2002 05:39:37 -0400
Another reason to ensure that the Recycle bin is Not
listed in the antivirus programs exclusion list.
W32.Yaha.F@mm is a mass-mailing worm that sends
itself to all email addresses that exist in the
Microsoft Windows Address Book, the MSN Messenger
List, the Yahoo Pager list, the ICQ list, and files
that have extensions that contain the letters ht. The
worm randomly chooses the subject and body of the
email message. The attachment will have a .bat, .pif
or .scr file extension. Depending upon the name of
the Recycled folder, the worm either copies itself to
that folder or to the %Windows% folder.
Reference Urls:
http://www.symantec.com/avcenter/venc/data/w32.yaha.f@
mm.html
http://vil.nai.com/vil/content/v_99528.htm
http://www.trendmicro.com/pc-cillin/vinfo/virusencyclo
/default5.asp?VName=3DWORM_YAHA.E
(this url Will wrap)
http://www.Europe.f-secure.com/v-descs/yaha_e.shtml
Technical Details (borrowed from Symantec)
If W32.Yaha.F@mm runs, it does the following:
It attempts to send itself to all email addresses
that exist in the Windows Address Book file, the MSN
Messenger List, the Yahoo Pager list, the ICQ list,
and files with extensions that contain the letters
"ht". The email addresses are then stored in the file
\%Windows%\<four random letters>b.dll
For example, if the four random letters are efgh,
then the file name will be \%Windows%\Efghb.dll.
NOTE: %Windows% is a variable. The worm locates the
\Windows folder (by default this is C:\Windows or
C:\Winnt) and copies itself to that location.
The worm masks its activity by displaying the several
strings of text, and then causing the Windows desktop
to appear to shake. This is done to make it look like
a screen saver. The displayed text strings are:
U r so cute today #!#!
True Love never ends
I like U very much!!!
U r My Best Friend
Email routine details
When the worm runs its email routine, it chooses the
URL that it is supposed to have originated from by
merging a string from the following set of strings:
screensaver, screensaver4u, screensaver4u,
screensaverforu, freescreensaver, love, lovers,
lovescr, loverscreensaver, loversgang, loveshore,
love4u, lovers, enjoylove, sharelove, shareit,
checkfriends, urfriend, friendscircle, friendship,
friends, friendscr, friends, friends4u, friendship4u,
friendshipbird, friendshipforu, friendsworld,
werfriends, passion, bullsh*tscr, shakeit, shakescr,
shakinglove, shakingfriendship, passionup, rishtha,
greetings, lovegreetings, friendsgreetings,
friendsearch, lovefinder, truefriends, truelovers, or
f*cker
with: .com, .org, or .net For example, it might
name the URL Screensaver.com.
Subject
W32.Yaha.F@mm randomly chooses the subject from the
following strings: "Fw: ", " ", ":-)", "!", "!!",
"to ur friends", "to ur lovers", "for you", "to see",
"to check", "to watch", "to enjoy", "to share",
"Screensaver", "Friendship", "Love", "relations",
"stuff", "Romantic", "humour", "New", "Wonderfool",
"excite", "Cool", "charming", "Idiot", "Nice",
"Bullsh*t", "One", "Funny", "Great", "LoveGangs",
"Shaking", "powful", "Joke", "Interesting", "U realy
Want this", "searching for true Love", "you care ur
friend", "Who is ur Best Friend ", "make ur friend
happy", "True Love", "Dont wait for long time", "Free
Screen saver", "Friendship Screen saver", "Looking
for Friendship", "Need a friend?", "Find a good
friend", "Best Friends", "I am For u", "Life for
enjoyment", "Nothink to worryy", "Ur My Best Friend
", "Say 'I Like You' To ur friend", "Easy Way to
revel ur love", "Wowwwwwwwwwww check it", "Send This
to everybody u like", "Enjoy Romantic life", "Let's
Dance and forget pains", "war Againest Loneliness",
"How sweet this Screen saver", "Let's Laugh ", "One
Way to Love", "Learn How To Love", "Are you looking
for Love", "love speaks from the heart", "Enjoy
friendship", "Shake it baby","Shake ur friends", "One
Hackers Love", "Origin of Friendship", "The world of
lovers", "The world of Friendship", "Check ur friends
Circle", "Friendship", "how are you", "U r the
person?", "Hi", or "=AF"
Message
The message will be:
<HTML><HEAD></HEAD><BODY>
followed by:
<iframe src=3D3Dcid:[SomeCID] height=3D3D0
width=3D3D0></iframe>
or
[nothing]
This is followed by:
<FONT></FONT>
followed by:
.
.
followed by:
Check the attachment
or See the attachement
or Enjoy the attachement
or More details attached
followed by:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
<<<>>> <<<>>> <<<>>>
or
This message was created automatically by mail
delivery software (Exim).
A message that you sent could not be delivered to one
or more of its recipients. This is a permanent error.
The following address(es) failed:[Infected User's
e-mail Address]
For further assistance, please contact <
postmaster@[URL constructed above] > If you do so,
please include this problem report. You can delete
your own text from the message returned below.
Copy of your message, including all the headers is
attached
NOTE: In this case, the e-mail attachment will be an
eml file that will contain the worm as an attachment.
or
Hi
Check the Attachement ..
See u
or
Hi
Check the Attachement ..
or
Attached one Gift for u..
or
wOW CHECK THIS
followed by:
<Infected Computer's Username>
----- Original Message -----
From: "Random string from above]" < [Random string
from above]@[URL constructed above] >
To: < [Infected User's e-mail Address] >
Sent: [Infection date and time]
Subject: [Subject constructed above]
This e-mail is never sent unsolicited. If you need to
unsubscribe, follow the instructions at the bottom
of the message.
******************************************************
*****
Enjoy this friendship Screen Saver and Check ur
friends circle... Send this screensaver from
www.[URL constructed above] to everyone you consider
a FRIEND, even if it means sending it back to the
person
who sent it to you. If it comes back to you, then
you'll know you have a circle of friends.
* To remove yourself from this mailing list, point
your browser to: http://[URL constructed
above]/remove?freescreensaver
* Enter your email address ([infected user's e-mail
address]) in the field provided and click
"Unsubscribe".
OR...
* Reply to this message with the word "REMOVE" in the
subject line. This message was sent to address
[infected user's e-mail address] X-PMG-Recipient:
[Infected Username]
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
<<<>>> <<<>>> <<<>>>
The message closes with:
</BODY></HTML>
Attachment
The attachment name is constructed from the following
file names:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love
followed by:
.doc
.mp3
.xls
.wav
.txt
.jpg
.gif
.dat
.bmp
.htm
.mpg
.mdb
.zip
with one of the following extensions:
.pif
.bat
.scr
The worm uses its own SMTP Engine. It attempts to use
the infected computer's default SMTP server to send
mail. If it cannot find that information, then it
uses one of many SMTP server addresses that are
hardcoded into the worm.
NOTE: None of the above mass-mailing characteristics
could be reproduced in the lab environment.
Additional functions
In addition to the mass-mailing routine, the worm
does the following:
It will attempt to terminate Anti-Virus and Firewall
processes.
It randomly uses the "Incorrect MIME header" exploit,
which allows automatic execution of the worm on
unpatched systems.
Depending upon the name of the Recycled folder, the
worm copies itself to either that folder or to the
\%Windows folder. The file name consists of six
random numbers.
The worm configures itself to execute each time that
an .exe file is executed by changing the default
value of the registry key
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
\command
to
[WormName]" %1 %*
It also creates a randomly named text file in the
Windows folder; for example, [Random File Name].txt.
The file contains the following text:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
<<<>>> <<<>>> <<<>>>
iNDian sNakes pResents yAha.E
iNDian hACkers,Vxers c0me & w0Rk wITh uS & f*Ck tHE
GFORCE-pAK shites
bY
sNAkeeYes,c0Bra
<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
<<<>>> <<<>>> <<<>>>
To remove this worm:
1. If the worm has already run, you must first
reverse the change that the worm made to the
registry. If the worm has not run, go to step 2.
a. Configure Windows to show all files.
b. Copy Regedit.exe to Regedit.com (in most cases).
c. Edit the registry and reverse the change that the
worm made.
2. Update the virus definitions, run a full system
scan, and delete all files that NAV detectsas
W32.Yaha.F@mm.
For detailed instructions on how to do this, see the
sections that follow.
To configure Windows to show all files:
1. Start Windows Explorer.
2. Click the View menu (Windows 95/98/NT) or the
Tools menu (Windows Me/2000/XP), and then click
Options or Folder options.
3. Click the View tab.
4. Uncheck "Hide file extensions for known file
types."
5. Do one of the following:
Windows 95/NT: Click "Show all files."
Windows 98: In the Advanced settings box, under the
"Hidden files" folder, click Show all files.
Windows Me/2000/XP: Uncheck "Hide protected operating
system files" and under the "Hidden files" folder,
click "Show hidden files and folders."
6. Click Apply, and then click OK.
To copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you
cannot run .exe files, you must first make a copy of
the Registry Editor as a file with the .com
extension, and then run that file.
1. Do one of the following, depending on which
version of Windows you are running:
Windows 95/98: Click Start, point to Programs, and
click MS-DOS Prompt.
Windows Me: Click Start, point to Programs, point to
Accessories, and then click MS-DOS Prompt.
Windows NT/2000/XP:
a. Click Start, and click Run.
b. Type the following and then press Enter:
command
A DOS window opens.
c. Type the following and then press Enter:
cd \winnt
d. Proceed to the next step.
2. Type the following and then press Enter:
copy regedit.exe regedit.com
3. Type the following and then press Enter:
start regedit.com
The Registry Editor will open in front of the DOS
window. After you finish editing the registry, exit
the Registry Editor, and then exit the DOS window, as
well.
1. Proceed to the next section, "To edit the registry
and remove keys and changes made by the worm," only
after you have accomplished the previous steps.
To edit the registry and reverse the change that the
worm made:
CAUTION: Symantec strongly recommends that you back
up the registry before you make any changes to it.
Incorrect changes to the registry can result in
permanent data loss or corrupted files. Modify only
the keys that are specified. Read the document How to
make a backup of the Windows registry for
instructions.
1. Navigate to and select the following key:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open
\command
CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key
contains many subkey entries that refer to other file
extensions. One of these file extensions is .exe.
Changing this extension can prevent any files ending
with an .exe extension from running. Make sure that
you browse all the way along this path until you
reach the \command subkey.
2. In the right pane, double-click the (Default)
value.
3. Delete the current value data, and then type: "%1"
%* (That is, type the following characters:
quote-percent-one-quote-space-percent-asterisk.)
NOTE: Registry Editor will automatically enclose the
value in quotation marks. When you click OK, the
(Default) value should look exactly like this: ""%1"
%*"
Make sure that you completely delete all value data
in the command key before you type the correct data.
If you leave a space at the beginning of the entry,
any attempt to run program files will result in the
error message, "Windows cannot find .exe." If this
happens to you, start over at the beginning of this
document, and make sure that you completely remove
the current value data.
4. Restart the computer.
5. If you have not already done so, run Live Update,
and then run a full system.
~*~*~*~*~
To unsubscribe from our list send an email
to hackfix-virusnews-request@xxxxxxxxxxxxx?Subject=unsubscribe.
For a complete list of email commands for our list send
an email to ecartis@xxxxxxxxxxxxx with a subject line of
"info hackfix-virusnews" without the quotes.
~*~*~*~*~
Other related posts:
- » hackfix-virusnews: Virus warning ~ Yaha.mm/worm
