Virus heads-up: Yaha.K

Dutch radio is broadcasting warnings about an uprise of a new member of the Yaha family, Yaha.K. This either means that there's no other news today or this is a pretty serious one :) For now (according to mr. newsreader) only the Netherlands are seriously affected, but then again, we probably are the only ones awake at this hour :)

Symantec released new virus defenitions the 26th, Sophos has an IDE available and I'm pretty sure the rest of them has something available as well - update time!

Oh, and a happy new year to you all :dunce:

Happy new years to you to!!1 and im awake at this hour:) its 5:30 am here i havnt been to bed yet :)

Thanks alot, looks like its time to update virus scanner again :/
Just out of curiosity, what does the virus do?? any warning signs?

Hades:

Following the links provided by Guus, I found this:

Quote:

---

from Symantec
It terminates some antivirus and firewall processes. The worm uses its own SMTP engine to email itself to all contacts in the Windows Address Book, the MSN Messenger, the .NET Messenger, the Yahoo Pager, and all files whose extensions contains the letters HT. The email message has randomly chosen subject line, message, and attachment name.

---

Quote:

---

from Sophos
W32/Yaha-K creates three files in your system folder: WinServices.exe, nav32_loader.exe and tcpsvc32.exe. All these are exact copies of the worm.

W32/Yaha-K adds the following values to your registry, setting them to run the WinServices.exe file whenever you boot up or log on to the network:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winservices
="%SYSFOLDER%\WinServices.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winservices
="%SYSFOLDER%\WinServices.exe"

W32/Yaha-K also sets

HKCR\exefile\shell\open\command\(Default)
=""%SYSFOLDER%\nav32_loader.exe" "%1" %*"

This means that W32/Yaha-K is executed whenever you launch an EXE (program file).

Once executed, W32/Yaha-K stays resident in memory as a process which is not visible in the task list. The worm takes active measures against anti-virus software, including:

* automatically resetting its "exefile" association if you edit the registry
* actively terminating a range of anti-virus, firewall and internet service programs
* actively terminating REGEDIT

Like other Yaha variants (e.g. W32/Yaha-A), the worm sends out emails containing copies of itself. These emails have a range of subject lines, attachment names, sender addresses and body texts, using a mixture of topics relating to hacking, love, hate and porn.

---

Sounds Nasty :/ Thanks for the info.

I always love those "Your system is up to date" or "no update's available" messages.
Thanks for the warning Guus.

Here is some info on Yaha.K from the folks at McAfee:

Yaha.k i

Hope that I have been some help.

How about if you do a scanreg/restore and delete the files from the Windosw system, would that take care of the problem?

If doing a scanreg /restore were the solution, then virus wouldn't be a problem, hehe!!!Sometimes it uses to be not that simple, more if you don't have the right tools to fix it.

One of our guys at work "accidentally" opened a file with the virus attached. I didn't notice it until the end of the day, so I am going to spend my morning removing the virus. Fun stuff. I usually do updates on Tues. Thanks for the links though, saves me the time on looking for them.

I sent an email to the sender of the virus because he probably doesn't even know he has it and is sending it out.

This actually reminded me to update my signature files thanks :)

Save starting another thread.. thought this headsup was best here..

Cheers

Quote:

---

[ EVRT™ Virus advisory issued for Worm/Yaha.M ]

Complete description can be read online by clicking here
http://support.centralcommand.com/cg...=021223-000007

Details:

Name: Worm/Yaha.M
Alias: W32/Yaha-M
Type: Internet Worm
Discovered: December 21, 2002
Size: 34.304KB

Description:

Worm/Yaha.M is is a modification of Worm/Yaha.A (Valentine.scr), an Internet worm that spread by retrieving e-mail addresses from the Windows Address Book, as well as, from addresses found in cached webpages(HTM, HTML and HTA files). Unlike other variants of Yaha, this variant does not show the funny screens the previous versions displayed.

If executed, the worm copies itself in the \windows\%system% directory under the filenames:

- tcpsvs32.exe
- nav32_loader.exe
- WinServices.exe
- winloader32.dll

So that it gets run each time a user restart their computer the following registry keys get added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

Additionally, the following key gets added:

- HKEY_CLASSES_ROOT\exefile\shell\open\command
@="\"%1\" %*"
@="\"C:\\WINDOWS\\SYSTEM\\nav32_loader.exe\"\"%1\"%*"

Worm/Yaha.M was originally received as "hotmail_hack.exe".

---

Hey all,

The sender of the e-mail does not know about it.
The virus infects the registry part that contains your adress book and sends out a wack of emails with various generated messages and files.

Unfortunately, my fiancée decided to try to install this "screensaver" and infected my computer.

The first thing I noticed was that my vsheild wasn't loading, then my anti virus wouldn't start on command, then that winservices and tcpsvs32 was running in the background (ctrl+alt+del)

I tried removing the files, but they would return, I also attemted to remove the entries from msconfig to no success.

McAfee has a program called Stinger which removes the infection (since my AV won't run)

Then, you have to manually remove the registry entries (not necessary but good to keep clean)

Just thought I'd let you know...

happy NEW YEAR!!!!!!! everyone.

thanks for tha info! Update time