Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32.Yaha.E

Aliases: I.Worm-Lentin, W32/Yaha.e, Win32.Yaha.D

Win32.Yaha.E is a worm spreading in the environment of operating systems Windows 9x/ME/NT /2000 as an email file attachment.  The name of the file in the attachment which contains the worm is changed and has always a doubled extension.  The worm is compressed by means of the utility UPX and its size is 27757 bytes.  Moreover, the compressed body of the worm is modified so that it cannot be clearly seen what compressor was used.  The author of the worm replaced all UPX typical strings by the character ".".
The worm can activate on the target computer automatically.  This happens only in case that the mail client does not have the error Incorrect MIME header fixed and a message with a worm is generated which tries to utilise this vulnerability.  A description can be found at the address http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp.  For safety reasons it is necessary to install a patch for this vulnerability and this patch can be found on the address www.microsoft.com/windows/ie/downloads/critical/q321232.
The worm gets installed into one of the directories c:\recycler, c:\recycled or into the directory where the operating system Windows is installed.
The worm uses email addresses from Windows Address Book, MSN Messenger, Yahoo Pager list, from ICQ contacts and from files with the extension HT* (i.e. for example HTML, HTA, HTM etc.) to spread.
When the Task Manager is executed in the Windows NT environment the process with the worm is displayed but after short time it disappears from the tasks list.  This means that the active virus cannot be terminated by means of the Task Manager.  The virus terminates the processes with the following names.

• SCAM32
• SIRC32
• WINK
• ZONEALARM
• AVP32
• LOCKDOWN2000
• AVP.EXE
• CFINET32
• CFINET
• ICMON
• SAFEWEB
• WEBSCANX
• ANTIVIR
• MCAFEE
• NORTON
• NVC95
• FP-WIN
• IOMON98
• PCCWIN98
• F-PROT95
• F-STOPW
• PVIEW95
• NAVWNT
• NAVRUNR
• NAVLU32
• NAVAPSVC
• NISUM
• SYMPROXYSVC
• RESCUE32
• NISSERV
• ATRACK
• IAMAPP
• LUCOMSERVER
• LUALL
• NMAIN
• NAVW32
• NAVAPW32
• VSSTAT
• VSHWIN32
• AVSYNMGR
• AVCONSOL
• WEBTRAP
• POP3TRAP
• PCCMAIN
• PCCIOMON

Moreover, on the infected computer the worm prevents running the program with a process named by one of the abovementioned names.  In the list there are mainly various anti-virus and safety programs.
If the worm Win32.Yaha.E is executed from a file with the extension SCR it displays signs and trembles the screen.  The screen will look roughly as follows:

The email message being sent out which contains the worm is generated in a complex way.  Its subject and body are randomly compiled from a list of phrases.  Their aim is to attract interest and thus get the file in the attachment opened.
The message body, if the worm spreads as a screensaver, may contain also the following sentences:

* Reply to this message with the word "REMOVE" in the subject line.

This message was sent to address /remove?freescreensaver
* Enter your email address ( to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

* To remove yourself from this mailing list, point your browser to:
http://

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from www.***********************************************************
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.

If you do so, please include this problem report. You can
delete your own text from the message returned below.

Copy of your message, including all the headers is attached

For further assistance, please contact < postmaster

This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its recipients.
This is a permanent error. The following address(es) failed:

Win32/Yaha.E spreads on shared network disks.  It tries to create its copy with the name MSTASKMON.EXE in t he directories WINXP, WINME, WIN, WINNT, WIN95, WIN98 and WINDOWS.  It modifies the file WIN.INI to ensure activation of that copy.  This activity is not successful in the Windows NT environment as the file WIN.INI does not exist here.
In the directory containing the operating system the worm creates a file with a random name and with the extension .txt.  It contains the following
text:

iNDian sNakes pResents yAha.E

iNDian hACkers,Vxers c0me & w0Rk wITh uS & fUCk tHE GFORCE-pAK shites

bY

sNAkeeYes,c0Bra

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.