| Yaha screensaver worm spreading |
|
| on Saturday, February 28, 2004 - 09:11 PM CCT - 1420 Reads |
 |
The Yaha.e mass-mailing worm masquerades as a friendly screensaver. Since June 15, 2002, the antivirus software company MessageLabs has stopped more than 21,000 copies, proving that users worldwide are still opening attached files from total strangers. Yaha.e, also known as Lentin.e, Yaha.f, and Yaha.g, is a successful variant of a worm first seen around Valentine's Day this year. Yaha.e, believed to be from India, is 29,948 bytes in length and spreads via e-mail contacts it finds in cached Web pages (files ending with HTM, HTML, HTA) as well as contacts found in Microsoft Messenger or the victim's ICQ database. This worm does not affect Mac, Linux, or Unix users. Because this worm just spreads itself but doesn't damage files.
How it works
Yaha arrives via e-mail, forging its own e-mail return address that mentions the words share, friend, love, or screensaver, followed by file extension .com or .org. The subject may say "friendly screensaver" or mention the words friendship or love. The body text varies. The attached file may start with one of the following words:
loveletter
resume
love
weeklyreport
goldfish
report
mountan
biodata
dailyreport
lovegreetings
shakingfriendship
The attached file may be one of the following file types: WAV, DOC, MP3, BMP, JPG, GIF, TXT, XLS, HTM, MPG, ZIP, DAT, plus one of these extensions: .pif, .bat, or .scr.
If executed, Yaha copies itself to the Recycle and the Windows directories using a random name followed by EXE. The worm then modifies the Registry to allow itself to run every time the computer is rebooted:
Hkey_classes_rootexefileshellopencommand = "c:recyclerkiek" %1 %*
The worm tries to delete a number of processes running on the computer, including most major antivirus software. It then runs a screensaver that shakes the desktop screen and displays the following text messages:
True Love never Ends
U r My Best Friend
U r so cute today #!#!
Prevention
Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from the attached files in Yaha.e. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Yaha.e.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection on contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, McAfee (as Yaha.g), Norman, Sophos, Symantec, or Trend Micro.
Note: Good to know! |
  |
|
|
| |
|
