Hades:

Following the links provided by Guus, I found this:

from Symantec
It terminates some antivirus and firewall processes. The worm uses its own SMTP engine to email itself to all contacts in the Windows Address Book, the MSN Messenger, the .NET Messenger, the Yahoo Pager, and all files whose extensions contains the letters HT. The email message has randomly chosen subject line, message, and attachment name.
from Sophos
W32/Yaha-K creates three files in your system folder: WinServices.exe, nav32_loader.exe and tcpsvc32.exe. All these are exact copies of the worm.

W32/Yaha-K adds the following values to your registry, setting them to run the WinServices.exe file whenever you boot up or log on to the network:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winservices
="%SYSFOLDER%\WinServices.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winservices
="%SYSFOLDER%\WinServices.exe"

W32/Yaha-K also sets

HKCR\exefile\shell\open\command\(Default)
=""%SYSFOLDER%\nav32_loader.exe" "%1" %*"

This means that W32/Yaha-K is executed whenever you launch an EXE (program file).

Once executed, W32/Yaha-K stays resident in memory as a process which is not visible in the task list. The worm takes active measures against anti-virus software, including:

* automatically resetting its "exefile" association if you edit the registry
* actively terminating a range of anti-virus, firewall and internet service programs
* actively terminating REGEDIT

Like other Yaha variants (e.g. W32/Yaha-A), the worm sends out emails containing copies of itself. These emails have a range of subject lines, attachment names, sender addresses and body texts, using a mixture of topics relating to hacking, love, hate and porn.