Virus heads-up: Yaha.K

[Guus]

Dutch radio is broadcasting warnings about an uprise of a new member of the Yaha family, Yaha.K. This either means that there's no other news today or this is a pretty serious one For now (according to mr. newsreader) only the Netherlands are seriously affected, but then again, we probably are the only ones awake at this hour

Symantec released new virus defenitions the 26th, Sophos has an IDE available and I'm pretty sure the rest of them has something available as well - update time!

Oh, and a happy new year to you all

[gore]

Happy new years to you to!!1 and im awake at this hour its 5:30 am here i havnt been to bed yet

[Hades]

Thanks alot, looks like its time to update virus scanner again :/
Just out of curiosity, what does the virus do?? any warning signs?

[the_JinX]

Hades:

Following the links provided by Guus, I found this:

from Symantec
It terminates some antivirus and firewall processes. The worm uses its own SMTP engine to email itself to all contacts in the Windows Address Book, the MSN Messenger, the .NET Messenger, the Yahoo Pager, and all files whose extensions contains the letters HT. The email message has randomly chosen subject line, message, and attachment name.

from Sophos
W32/Yaha-K creates three files in your system folder: WinServices.exe, nav32_loader.exe and tcpsvc32.exe. All these are exact copies of the worm.

W32/Yaha-K adds the following values to your registry, setting them to run the WinServices.exe file whenever you boot up or log on to the network:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winservices
="%SYSFOLDER%\WinServices.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winservices
="%SYSFOLDER%\WinServices.exe"

W32/Yaha-K also sets

HKCR\exefile\shell\open\command\(Default)
=""%SYSFOLDER%\nav32_loader.exe" "%1" %*"

This means that W32/Yaha-K is executed whenever you launch an EXE (program file).

Once executed, W32/Yaha-K stays resident in memory as a process which is not visible in the task list. The worm takes active measures against anti-virus software, including:

* automatically resetting its "exefile" association if you edit the registry
* actively terminating a range of anti-virus, firewall and internet service programs
* actively terminating REGEDIT

Like other Yaha variants (e.g. W32/Yaha-A), the worm sends out emails containing copies of itself. These emails have a range of subject lines, attachment names, sender addresses and body texts, using a mixture of topics relating to hacking, love, hate and porn.

[Hades]

Sounds Nasty :/ Thanks for the info.

[noODle]

I always love those "Your system is up to date" or "no update's available" messages.
Thanks for the warning Guus.

[bucket]

Here is some info on Yaha.K from the folks at McAfee:

Yaha.k i

Hope that I have been some help.

[Jorge]

How about if you do a scanreg/restore and delete the files from the Windosw system, would that take care of the problem?

[-DaRK-RaiDeR-]

If doing a scanreg /restore were the solution, then virus wouldn't be a problem, hehe!!!Sometimes it uses to be not that simple, more if you don't have the right tools to fix it.

[zaggy]

One of our guys at work "accidentally" opened a file with the virus attached. I didn't notice it until the end of the day, so I am going to spend my morning removing the virus. Fun stuff. I usually do updates on Tues. Thanks for the links though, saves me the time on looking for them.

I sent an email to the sender of the virus because he probably doesn't even know he has it and is sending it out.