W32/Yaha-P is a worm from the Yaha family.
Preliminary analysis shows that W32/Yaha-P shares many of the characteristics of W32/Yaha-E (currently the most prevalent variant in this family), including:
- Sending out email using its own SMTP client
- Terminating Task Manager to make it hard to stop the worm's process
- Using a wide range of attachment names
- Using realistic (though not business-like) email message text
- Terminating a range of security and anti-virus programs
Note that W32/Yaha-stores itself on your hard disk under different file names to those used by W32/Yaha-E. W32/Yaha-P places the files mstask32.exe and exeloader.exe into your system folder. These files are marked as hidden to make them less noticeable.
W32/Yaha-P is a worm from the Yaha family.
Preliminary analysis shows that W32/Yaha-P shares many of the characteristics of W32/Yaha-E (currently the most prevalent variant in this family), including:
- Sending out email using its own SMTP client
- Terminating Task Manager to make it hard to stop the worm's process
- Using a wide range of attachment names
- Using realistic (though not business-like) email message text
- Terminating a range of security and anti-virus programs
Note that W32/Yaha-stores itself on your hard disk under different file names to those used by W32/Yaha-E. W32/Yaha-P places the files mstask32.exe and exeloader.exe into your system folder. These files are marked as hidden to make them less noticeable.
W32/Yaha-P changes the registry value:
HKCR\exefile\shell\open\command\(Default)
so that the copy of the worm in the file exeloader.exe is triggered every time you launch an EXE file.
W32/Yaha-P also adds the registry value:
MicrosoftServiceManager="\yoursystemfolder\mstask32.exe"
to the registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
This runs the worm automatically when you start up your PC.