February 19th, 2002, 10:38 PM
Malicious 'newsletter' virus hits users in Germany
Antivirus (AV) firms are warning of a "highly dangerous" virus that disguises itself as a newsletter from a popular German AV site. There have been reports of mass infections in Germany caused by the malicious code.
The 'Yarner' virus disguises itself as the AV program YAW, arriving as an attachment to an official looking message purporting to be from AV website Trojaner- info.de. The email contains the subject line: 'Trojaner- Info Newsletter [infected computer's current date]'.
If the attached Yawsetup.exe file is opened, the worm creates a file in the Windows directory with a random name up to 100 characters long and registers the file in the registry as an auto run key. This means that the worm is run every time Windows boots up.
Yarner spreads as a mass mailing virus, accessing the Microsoft Outlook address book to retrieve addresses as well as scanning all .php, .htm, .shtm, .cgi and .pl files for addresses.
After harvesting the details the worm connects to a remote SMTP server in order to forward itself to more unsuspecting victims.
AV firms have warned that Yarner also contains a highly destructive payload. It has a one in 10 chance of destroying all data and information on an infected machine after forwarding itself.
Experts have warned that this latest epidemic is more evidence of malicious code writers using social engineering to trick unwary users.
Eugene Kaspersky, head of AV research at Kaspersky Labs, said: "Trojaner-Info, supposedly in whose name the infected messages are sent, is a popular German resource for solving AV security problems. This service has no relationship whatsoever to this current epidemic.
"What is occurring now simply confirms once again that an email address and a message text can be easily falsified and, with the use of this trick, a user has a malicious program thrust upon him or herself."