Clusterheadaches.com Message Board
        (http://www.clusterheadaches.com/cgi-bin/yabb/YaBB.cgi)
      

        New Message Board Archives >> Jan-Mar 2003 >> Warning-Warning
        
(Message started by: Svenn on Jan 14th, 2003, 1:17am)
Title: Warning-Warning
Post by Svenn on Jan 14th, 2003, 1:17am
W32/Yaha.K@mm Explanation of the different characteristics used below.

General characteristics
Type: Worm
Spreading mechanism: Email
Email characteristics:
Subject: (semi random)
Body:
(various)
Attachment: various - *.scr or *.exe
Destructivity: Medium
Payload: Changes Registry settings
Detected by virus detection files published: 31 Dec 2002
Virus characteristics first published: 31 Dec 2002 17:55 (CET)
Virus characteristics latest update: 08 Jan 2003 10:46 (CET)
Additional description of malicious program
Type
This worm is written in Visual C++. The malicious program is 34,304 bytes and is compressed using UPX.

Spreading mechanism
The worm will copy itself to the following directories/names:

%WINDOWSSYSTEMDIRECTORY%\nav32_loader.exe
%WINDOWSSYSTEMDIRECTORY%\tcpsvs32.exe
%WINDOWSSYSTEMDIRECTORY%\WinServices.exe

The worm will then change the Registry key "HKCR\exefile\shell\open\command" so that the worm is run before any .exe files are started. This has the addititonal effect that if the worm is deleted, no *.exe files whatsoever can be run unless the Registry setting is changed before the worm is deleted!

Then the worm sets the Run key in the Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm is started during the PC's boot.

The worm also adds the following Registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
to point to %WINDOWSYSTEMDIRECTORY%\WinServices.exe

The worm will harvest email addresses from several locations on the infected PC and send itself to those.

Destructivity and Payload
The worm changes a Registry setting in such a way that it ensures that it runs itself before any *.exe file. This has the side-effect that if the worm is deleted before the Registry setting is changed, no *.exe file whatsoever will be able to be launched.

Norman will soon make available for download from this page a fix that will reset the Registry setting and remove the worm.

Further comments
When the worm is run as WinServices.exe (during boot), it looks through all running processes and checks against the list below. Any of those processes it finds, the worm will then attempt to kill.

REGEDIT
ACKWIN32
F-AGNT95
SWEEP95
VET95
N32SCANW
_AVPM
LOCKDOWNADVANCED
NSPLUGIN
NSCHEDNT
NRESQ32
NPSSVC
NOD32
_AVPCC
_AVP32
NORTON
NVC95
FP-WIN
IOMON98
PCCWIN98
F-PROT95
F-STOPW
PVIEW95
NAVWNT
NAVRUNR
NAVLU32
NAVAPSVC
NISUMSYMPROXYSVC
RESCUE32
NISSERV
VSECOMR
VETTRAY
TDS2-NT
TDS2-98
SCAN32
PCFWALLICON
NSCHED32
IAMSERV
EXE
FRW.EXE
MCAFEE
ATRACK
IAMAPP
LUCOMSERVER
LUALL
NMAIN
NAVW32
NAVAPW32
VSSTAT
VSHWIN32
AVSYNMGR
AVCONSOL
WEBTRAP
POP3TRAP
PCCMAIN
PCCIOMON
ESAFE.EXE
AVPM.EXE
AVPCC.EXE
AMONEXE
ALERTSVC
ZONEALARM
AVP32LOCKDOWN2000
AVPEXE
CFINET32
CFINET
ICMON
RMVTRJANSAFEWEB
WEBSCANX
PVIEW
ANTIVIR

The worm will then sleep for some time and go through the list again and again.

The worm tries to obscure itself by making the Task Manager window in Windows unavailable.

Detection and removal
We recommend that you download a special fix for this worm.
Download Yahafix by right clicking on this link. Run Yahafix.com when the download is complete. Yahafix will remove Yaha from your system and reset the Registry settings created by the worm.
Virus Warnings HIGH RISK  
   2003.01.10
2003.01.09
2003.01.07
2002.12.31
2002.12.30
2002.10.01
2002.09.30
2002.06.21
2002.04.17  W32/Sobig.A
W32/Lirva.C
W32/Lirva.A
W32/Yaha.K
W32/Yaha.M
W32/Opaserv
W32/Bugbear.A
W32/Yaha.E
W32/Klez.H  

Virus Warnings MEDIUM RISK  
   2002.11.06
2001.11.24
2001.07.20
2000.11.16  W32/Brid.A
W32/Badtrans.B
W32/SirCam
W32/Hybris  

Virus Warnings LOW RISK  
   2003.01.09
2002.12.17
2002.01.17
2001.09.05
2001.03.14  W32/ExploreZip.N
W32/Lioten.A
W32/Klez.E
W32/Magistr.B
W32/Magistr.A  

More virus information
Virus descriptions
New virus descriptions
Lists of detected viruses

Virus Warnings on your own web site?

Latest virus definition files publ.: 2003:0110

 

 

Norman is one of the world's leading companies within the field of data security. With products for virus control, personal firewall, encryption, data recovery, and certified data erasure, the company plays an important role in the data industry.


Clusterheadaches.com Message Board » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB © 2000-2003. All Rights Reserved.