Virus heads-up: Yaha.K

Printable View

Show 40 post(s) from this thread on one page

December 31st, 2002, 05:37 AM
optiq

This actually reminded me to update my signature files thanks :)
January 1st, 2003, 12:42 AM
Und3ertak3r

update: YAHA.M

Save starting another thread.. thought this headsup was best here..

Cheers

Quote:

[ EVRT™ Virus advisory issued for Worm/Yaha.M ]

Complete description can be read online by clicking here
http://support.centralcommand.com/cg...=021223-000007

Details:

Name: Worm/Yaha.M
Alias: W32/Yaha-M
Type: Internet Worm
Discovered: December 21, 2002
Size: 34.304KB

Description:

Worm/Yaha.M is is a modification of Worm/Yaha.A (Valentine.scr), an Internet worm that spread by retrieving e-mail addresses from the Windows Address Book, as well as, from addresses found in cached webpages(HTM, HTML and HTA files). Unlike other variants of Yaha, this variant does not show the funny screens the previous versions displayed.

If executed, the worm copies itself in the \windows\%system% directory under the filenames:

- tcpsvs32.exe
- nav32_loader.exe
- WinServices.exe
- winloader32.dll

So that it gets run each time a user restart their computer the following registry keys get added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

Additionally, the following key gets added:

- HKEY_CLASSES_ROOT\exefile\shell\open\command
@="\"%1\" %*"
@="\"C:\\WINDOWS\\SYSTEM\\nav32_loader.exe\"\"%1\"%*"

Worm/Yaha.M was originally received as "hotmail_hack.exe".
January 1st, 2003, 12:51 AM
tyger_claw

Hey all,

The sender of the e-mail does not know about it.
The virus infects the registry part that contains your adress book and sends out a wack of emails with various generated messages and files.

Unfortunately, my fiancée decided to try to install this "screensaver" and infected my computer.

The first thing I noticed was that my vsheild wasn't loading, then my anti virus wouldn't start on command, then that winservices and tcpsvs32 was running in the background (ctrl+alt+del)

I tried removing the files, but they would return, I also attemted to remove the entries from msconfig to no success.

McAfee has a program called Stinger which removes the infection (since my AV won't run)

Then, you have to manually remove the registry entries (not necessary but good to keep clean)

Just thought I'd let you know...
January 1st, 2003, 12:15 PM
phaza7

happy NEW YEAR!!!!!!! everyone.

thanks for tha info! Update time

Show 40 post(s) from this thread on one page