Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: Virus heads-up: Yaha.K

  1. December 31st, 2002, 05:37 AM #11
    optiq
    optiq is offline
    Member
    Join Date
    Aug 2002
    Posts
    46
    This actually reminded me to update my signature files thanks
    Reply With Quote Reply With Quote
  2. January 1st, 2003, 12:42 AM #12
    Und3ertak3r
    Und3ertak3r is offline
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    update: YAHA.M

    Save starting another thread.. thought this headsup was best here..

    Cheers

    [ EVRT™ Virus advisory issued for Worm/Yaha.M ]

    Complete description can be read online by clicking here
    http://support.centralcommand.com/cg...=021223-000007

    Details:

    Name: Worm/Yaha.M
    Alias: W32/Yaha-M
    Type: Internet Worm
    Discovered: December 21, 2002
    Size: 34.304KB

    Description:

    Worm/Yaha.M is is a modification of Worm/Yaha.A (Valentine.scr), an Internet worm that spread by retrieving e-mail addresses from the Windows Address Book, as well as, from addresses found in cached webpages(HTM, HTML and HTA files). Unlike other variants of Yaha, this variant does not show the funny screens the previous versions displayed.

    If executed, the worm copies itself in the \windows\%system% directory under the filenames:

    - tcpsvs32.exe
    - nav32_loader.exe
    - WinServices.exe
    - winloader32.dll

    So that it gets run each time a user restart their computer the following registry keys get added:

    - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    "WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

    and

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    "WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

    Additionally, the following key gets added:

    - HKEY_CLASSES_ROOT\exefile\shell\open\command
    @="\"%1\" %*"
    @="\"C:\\WINDOWS\\SYSTEM\\nav32_loader.exe\"\"%1\"%*"

    Worm/Yaha.M was originally received as "hotmail_hack.exe".
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
    Reply With Quote Reply With Quote
  3. January 1st, 2003, 12:51 AM #13
    tyger_claw
    tyger_claw is offline
    Banned
    Join Date
    Mar 2002
    Posts
    968
    Hey all,

    The sender of the e-mail does not know about it.
    The virus infects the registry part that contains your adress book and sends out a wack of emails with various generated messages and files.

    Unfortunately, my fiancée decided to try to install this "screensaver" and infected my computer.

    The first thing I noticed was that my vsheild wasn't loading, then my anti virus wouldn't start on command, then that winservices and tcpsvs32 was running in the background (ctrl+alt+del)

    I tried removing the files, but they would return, I also attemted to remove the entries from msconfig to no success.

    McAfee has a program called Stinger which removes the infection (since my AV won't run)

    Then, you have to manually remove the registry entries (not necessary but good to keep clean)

    Just thought I'd let you know...
    Reply With Quote Reply With Quote
  4. January 1st, 2003, 12:15 PM #14
    phaza7
    phaza7 is offline
    Banned
    Join Date
    Dec 2002
    Posts
    394
    happy NEW YEAR!!!!!!! everyone.

    thanks for tha info! Update time
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules