[ EVRT™ Virus advisory issued for Worm/Yaha.M ]
Complete description can be read online by clicking here
http://support.centralcommand.com/cg...=021223-000007
Details:
Name: Worm/Yaha.M
Alias: W32/Yaha-M
Type: Internet Worm
Discovered: December 21, 2002
Size: 34.304KB
Description:
Worm/Yaha.M is is a modification of Worm/Yaha.A (Valentine.scr), an Internet worm that spread by retrieving e-mail addresses from the Windows Address Book, as well as, from addresses found in cached webpages(HTM, HTML and HTA files). Unlike other variants of Yaha, this variant does not show the funny screens the previous versions displayed.
If executed, the worm copies itself in the \windows\%system% directory under the filenames:
- tcpsvs32.exe
- nav32_loader.exe
- WinServices.exe
- winloader32.dll
So that it gets run each time a user restart their computer the following registry keys get added:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"
Additionally, the following key gets added:
- HKEY_CLASSES_ROOT\exefile\shell\open\command
@="\"%1\" %*"
@="\"C:\\WINDOWS\\SYSTEM\\nav32_loader.exe\"\"%1\"%*"
Worm/Yaha.M was originally received as "hotmail_hack.exe".