-
December 30th, 2002, 11:31 AM
#1
Virus heads-up: Yaha.K
Dutch radio is broadcasting warnings about an uprise of a new member of the Yaha family, Yaha.K. This either means that there's no other news today or this is a pretty serious one For now (according to mr. newsreader) only the Netherlands are seriously affected, but then again, we probably are the only ones awake at this hour
Symantec released new virus defenitions the 26th, Sophos has an IDE available and I'm pretty sure the rest of them has something available as well - update time!
Oh, and a happy new year to you all
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
-
December 30th, 2002, 11:42 AM
#2
Happy new years to you to!!1 and im awake at this hour its 5:30 am here i havnt been to bed yet
-
December 30th, 2002, 02:36 PM
#3
Junior Member
Thanks alot, looks like its time to update virus scanner again :/
Just out of curiosity, what does the virus do?? any warning signs?
-
December 30th, 2002, 03:22 PM
#4
Hades:
Following the links provided by Guus, I found this:
from Symantec
It terminates some antivirus and firewall processes. The worm uses its own SMTP engine to email itself to all contacts in the Windows Address Book, the MSN Messenger, the .NET Messenger, the Yahoo Pager, and all files whose extensions contains the letters HT. The email message has randomly chosen subject line, message, and attachment name.
from Sophos
W32/Yaha-K creates three files in your system folder: WinServices.exe, nav32_loader.exe and tcpsvc32.exe. All these are exact copies of the worm.
W32/Yaha-K adds the following values to your registry, setting them to run the WinServices.exe file whenever you boot up or log on to the network:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winservices
="%SYSFOLDER%\WinServices.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winservices
="%SYSFOLDER%\WinServices.exe"
W32/Yaha-K also sets
HKCR\exefile\shell\open\command\(Default)
=""%SYSFOLDER%\nav32_loader.exe" "%1" %*"
This means that W32/Yaha-K is executed whenever you launch an EXE (program file).
Once executed, W32/Yaha-K stays resident in memory as a process which is not visible in the task list. The worm takes active measures against anti-virus software, including:
* automatically resetting its "exefile" association if you edit the registry
* actively terminating a range of anti-virus, firewall and internet service programs
* actively terminating REGEDIT
Like other Yaha variants (e.g. W32/Yaha-A), the worm sends out emails containing copies of itself. These emails have a range of subject lines, attachment names, sender addresses and body texts, using a mixture of topics relating to hacking, love, hate and porn.
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
December 30th, 2002, 03:29 PM
#5
Junior Member
Sounds Nasty :/ Thanks for the info.
-
December 30th, 2002, 04:24 PM
#6
I always love those "Your system is up to date" or "no update's available" messages.
Thanks for the warning Guus.
-
December 30th, 2002, 07:33 PM
#7
Here is some info on Yaha.K from the folks at McAfee:
Yaha.k i
Hope that I have been some help.
-
December 30th, 2002, 08:07 PM
#8
Junior Member
How about if you do a scanreg/restore and delete the files from the Windosw system, would that take care of the problem?
-
December 30th, 2002, 08:26 PM
#9
If doing a scanreg /restore were the solution, then virus wouldn't be a problem, hehe!!!Sometimes it uses to be not that simple, more if you don't have the right tools to fix it.
-
December 31st, 2002, 04:03 AM
#10
One of our guys at work "accidentally" opened a file with the virus attached. I didn't notice it until the end of the day, so I am going to spend my morning removing the virus. Fun stuff. I usually do updates on Tues. Thanks for the links though, saves me the time on looking for them.
I sent an email to the sender of the virus because he probably doesn't even know he has it and is sending it out.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|