Clusterheadaches.com Message Board
        (http://www.clusterheadaches.com/cgi-bin/yabb/YaBB.cgi)
      

        New Message Board Archives >> Jan-Mar 2003 >> Virus help, ANYONE!!!
        
(Message started by: brain_cramps on Mar 3rd, 2003, 1:36pm)
Title: Virus help, ANYONE!!!
Post by brain_cramps on Mar 3rd, 2003, 1:36pm
Has anyone out there ran into the "W32/Yaha-L" virus?

Besides changing your 'home-page', it runs 'whenever you launch a file with an EXE extension'.

This makes it especially tough to remove 'bad' registry entries using 'regedit'.  I have been able to locate the files that it installs, but am unable to delete them until their references are removed from the registry.  Kinda a 'catch-22'.

Help and thanks in advance,
grant
Title: Re: Virus help, ANYONE!!!
Post by brain_cramps on Mar 3rd, 2003, 1:40pm
Note:  I've already tried to run regedit in 'safe mode' and same problem.  It starts, runs for about a second, and quits.

Somebody should shoot the bastards that think up shit like this!!!
Title: Re: Virus help, ANYONE!!!
Post by Kirk on Mar 3rd, 2003, 1:42pm
Try RegClean 4.1a. http://www.cnet.com has it in thier Windows download section.. It's free and might do the trick.
Other then that run FreeBSD or Linux are the best I can suggest. ;D
Title: Re: Virus help, ANYONE!!!
Post by brain_cramps on Mar 3rd, 2003, 1:48pm

on 03/03/03 at 13:42:27, Kirk wrote:
Other then that run FreeBSD or Linux are the best I can suggest.


ROTFLMAO - Its my parents system.  I kinda think Linux might be a little over their heads.

Downloading RegClean and going to give it a shot.

Thanks Kirk and I'll let you know,
grant
Title: Re: Virus help, ANYONE!!!
Post by brain_cramps on Mar 3rd, 2003, 2:06pm
Well Kirk, no such luck.  ???

Attached is a link describing it:
http://www.sophos.com/virusinfo/analyses/w32yahal.html

<<
Once executed, W32/Yaha-L stays resident in memory as a process which is not visible in the task list.  The worm takes active measures against anti-virus software including:
- atuomatically resetting the registry modifications if they are changed
- actively terminating a range of anti-virus, firewall and internet serviceprograms
- actively terminating REGEDIT
>>

Pretty creative, huh?  >:( >:( >:( >:( >:(
Title: Re: Virus help, ANYONE!!!
Post by Kirk on Mar 3rd, 2003, 2:15pm
Found another for you. http://onlinepcfix.com/virushelp/antivirus.htm
They have a standalone remover for all the Yaha(Lentin) worms there.

Just put the Redmond splash screen and theme on Linux and don't tell your parents. hehehehehe ;D
Title: Re: Virus help, ANYONE!!!
Post by BruceD on Mar 3rd, 2003, 2:16pm
I just looked and Symantec has a program to remove it. I don't know if you've tried that yet, but it may be of use. They've got some step-by-step instructions too.

http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.l@mm.html

Hope this helps
BruceD
Title: Re: Virus help, ANYONE!!!
Post by Kirk on Mar 3rd, 2003, 2:23pm
Just another script kiddie. Nothing really creative about it. Although the DDos attack against a Pakistani govrerment site is almost cute..
If the remover doesn't work let me know. We're all pulling for ya over here. Who needs another head ache.
Title: Re: Virus help, ANYONE!!!
Post by brain_cramps on Mar 3rd, 2003, 2:25pm
Thx everybody

Already tried the 'onlinepcfix.com' link and the 'securityresponse.symantec.com' link.

'onlinepcfix.com' wants $ and I guess that will probably be the next step.

'sophos.com' gives a bunch of instructions that they obviously never tested, since they admit that REGEDIT won't run but they still want you to remove registry entries.

frozen and frustrated!
grant
Title: Re: Virus help, ANYONE!!!
Post by Ueli on Mar 3rd, 2003, 2:25pm
Grant, use another registry editor, like RegHance from Lavasoft:

http://www.lavasoftusa.com/software/reghance/

Good luck,
Ueli
Title: Re: Virus help, ANYONE!!!
Post by BruceD on Mar 3rd, 2003, 2:33pm
Try renaming the regedt32.exe to regedt32.com and give that a go.
Title: Re: Virus help, ANYONE!!!
Post by brain_cramps on Mar 3rd, 2003, 4:42pm
Thanks Kirk, BruceD, Ueli and Randy


on 03/03/03 at 14:23:45, Kirk wrote:
Although the DDos attack against a Pakistani govrerment site is almost cute..
 That's about the only CUTE thing I found.

If anyone gets this little steaming nugget of shit virus, beware of the following:
- OnlinePCFix.com has incomplete/incorrect instructions.
- Sophos.com also has incomplete/incorrect instructions.
- Symantec has incomplete/incorrect instructions, but has a downloadable fix that is FREE and WORKS!

After copying REGEDIT.EXE to REG.COM, still had problems.  If you go and make the 'required' registry changes, when you go back in, the changes have already been overwritten with the incorrect changes.

The 3 sites said there would only be 3 infected files to be deleted and 3 registry entries to be changed.  There was 15 files to be deleted.

Thanks and Its Miller time,
Grant  8)


Clusterheadaches.com Message Board » Powered by YaBB 1 Gold - SP 1.3.1!
YaBB © 2000-2003. All Rights Reserved.