W32/Yanz-A is a worm which spreads by emailing itself to addresses found on the infected computer.
When run W32/Yanz-A performs the following actions:
- copies itself to the Windows system folder as lsasss.exe and
yanzi.exe
- creates a zip file YanZi.zip in the Windows folder
- creates a BASE64 encoded version of itself as sun.sys in the
Windows system folder
- creates a BASE64 encoded version of the zip file as
sun_yanzi.sys in the Windows system folder
- displays a message box with the title 'HATA' and the message
text as 'KERNEL HATASI'
- creates the file sun_yanzi.htm with the text "Sun-Yanzi".
The worm also creates the following registry entry so that it runs automatically on computer restart:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Kernel = %SYSTEM%\lsasss.exe
W32/Yanz-A will also attempt to copy itself to root folders and shared folders containing the word 'shar' using any of the following filenames:
Sun YanZi.avi.exe
Sun YanZi.mpg.exe
Sun YanZi.mpeg.exe
Sun YanZi - Shen Qi.exe
Sun YanZi - I am not sad.mp3.exe
Sun YanZi - Leave me alone.mp3.exe
Sun YanZi - forever.mp3.exe
Stephan YanZi.Mp3.exe
Sun-YanZi.mp3.exe
Emails sent by the worm have the following characteristics:
The subject lines can be randomly chosen from the following:
'SuN YanZi'
'Sun-YanZi'
'Guvenlik'
'Sun-YanZi Mp3'
'Free MP3'
'Love and SuN YanZi'
'Forever Sun Yanzi'
The email message can be of any of the following random message body texts:
'I don't want anything. I want to see Sun YanZi'
'My Favourite is Sun YanZi.'
'I want to meet Sun YanZi. I am loving Sun-YanZi Magic.'
'You must to listen Sun-Yanzi. I am enjoying to listen Sun YanZi.'
The attachments can be of any of the following random filenames:
'SunYanzi'
'Sun_Yanzi'
'Sun_Yanzi_Mp3'
'Love_Sun'
'Stephan_Yanzi'
and the mail message attachment can have any of the following random file extensions:
'.zip'
'.scr'
'.pif'
'.cmd'