Detection of the W32/Yaha.aa@MM virus was included to cover a malicious PE file called "cmde32.exe
" and/or "mexplore.exe
". The filesize is 60,304 bytes and the file is internally compressed with fsg.
This worm propagates via email and over network shares; mapped drives and also tries to spread using peer to peer connections. It uses its own built-in SMTP engine for constructing messages. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against remote machines (various targets are hard-coded within the worm).
The worm may arrive in a message formatted with varying subject lines, attachment filenames and message bodys. Many variations of each are carried within the body of the worm. In common with previous W32/Yaha variants, strings within the worm suggest the from address may be spoofed. Note: by using e-mail file extension blocking the (.com/.exe/.scr/.pif etc) file attachment and/or the complete e-mail might already be blocked/removed automatically. This variant also send a zipped up copy of itself as an attachment in an attempt to get around extension filtering.
When executed on the local system, it runs silently, no gui message boxes appear and it is also not visible in the windows task manager process list. It copies itself , for example on a Win2000 system, to
To call itself at startup registry entries are made under
To enable the running of the viral code, whenever a regular executable file is called, it changed the content of
Strings within the worm suggest outgoing messages are intended to contain two Internet Explorer vulnerabilities (IFRAME and incorrect MIME header) in order to run itself when the recipient previews the email (on unpatched systems). See Microsoft Security Bulletin MS01-020 for more information and a patch concerning these exploits.
The worm might also perform keylogging / keyboard hooking.