For Home

Virus Profile: W32/Yaha.aa@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/10/2003
Date Added: 11/11/2003
Origin: Unknown
Length: 60304
Type: Virus
Subtype: Internet Worm
DAT Required: 4298
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Presence of the files mentioned above
  • Disabled AV/Security software processes
  • Denial of Service attacks

Methods of Infection

The virus installs itself on the victim machine upon execution. It terminates various processes (AV and security product related).

It copies itself over network shares.

Although mailing has not been observed in testing at the time of writing, strings within the worm suggest that it mails itself out to all email addresses found in:

  • Windows Address Book
  • MSN Messenger
  • .NET Messenger
  • Yahoo Pager
  • Files matching *.HT*

The 'From' address may vary, as noted above.

Aliases

I-Worm.Lentin.s (Kaspersky), I-Worm/Yaha.S (Grisoft), W32.Yaha.AE@mm (Symantec), W32/Lentin.U@mm (Frisk), W32/Yaha-X (Sophos), Win32.HLLM.Yaha.6 (Dialogue Science), Win32.Yaha.Y (CA VET), Win32/Yaha.AF (Eset), Win32:Yaha-S [Wrm] (Alwil), Worm/Lentin.S (H+BEDV)
   

Virus Characteristics

Detection of the W32/Yaha.aa@MM virus was included to cover a malicious PE file called "cmde32.exe " and/or "mexplore.exe ".  The filesize is 60,304 bytes and the file is internally compressed with fsg.

This worm propagates via email and over network shares; mapped drives and also tries to spread using peer to peer connections. It uses its own built-in SMTP engine for constructing messages. It terminates specific processes if they are running (AV/security related), and contains code to deliver a denial of service attack against remote machines (various targets are hard-coded within the worm).

The worm may arrive in a message formatted with varying subject lines, attachment filenames and message bodys. Many variations of each are carried within the body of the worm. In common with previous W32/Yaha variants, strings within the worm suggest the from address may be spoofed. Note: by using e-mail file extension blocking the (.com/.exe/.scr/.pif etc) file attachment and/or the complete e-mail might already be blocked/removed automatically. This variant also send a zipped up copy of itself as an attachment in an attempt to get around extension filtering. 

When executed on the local system, it runs silently, no gui message boxes appear and it is also not visible in the windows task manager process list. It copies itself , for example on a Win2000 system, to 

  •  c:\winnt\system32\cmde32.exe
  •  c:\winnt\system32\mexplore.exe

To call itself at startup registry entries are made under

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

To enable the running of the viral code, whenever a regular executable file is called, it changed the content of

  • HKCR\exefile\shell\open\command

Strings within the worm suggest outgoing messages are intended to contain two Internet Explorer vulnerabilities (IFRAME and incorrect MIME header) in order to run itself when the recipient previews the email (on unpatched systems). See Microsoft Security Bulletin MS01-020 for more information and a patch concerning these exploits.

The worm might also perform keylogging / keyboard hooking. 

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.