W32/Yaha-X is a worm which spreads by emailing itself via SMTP to addresses extracted from various sources on the victim's computer (e.g. the Windows Address Book) and by copying itself to network shares and other fixed drives connected to the computer.
The worm copies itself to the Windows System folder as CMDE32.EXE and MEXPLORE.EXE and adds the following entries to the registry to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MS Explorer = <Windows system>\MEXPLORE.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MS Explorer = <Windows system>\MEXPLORE.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
MS Explorer = <Windows system>\MSEXPLORE.EXE
The worm also changes WIN.INI to run itself on system restart.
W32/Yaha-X changes the values in the following registry keys so that the worm is run before all EXE, SCR, PIF, COM and BAT files:
HKCR\exefile\shell\open\command
HKCR\scrfile\Shell\open\command
HKCR\piffile\shell\open\command
HKCR\batfile\shell\open\command
HKCR\comfile\shell\open\command
W32/Yaha-X drops text files called HOSTS and LMHOSTS within the Windows folder which contain the following URLs preceded by the IP address 127.0.0.1:
www.sophos.com
www.symantec.com
www.microsoft.com
www.trendmicro.com
www.avp.ch
www.mcafee.com
www.pandasoftware.com
www3.ca.com
www.ca.com
W32/Yaha-X attempts to exploit the IFRAME vulnerability in certain versions of Microsoft Internet Explorer and Outlook Express which allows automatic execution of files attached to emails when the email is viewed.
Microsoft has issued a patch which secures against the incorrect MIME header vulnerability and the IFRAME vulnerability. This can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS01-027.asp.
(This patch fixes a number of vulnerabilities in Microsoft's software, including the ones exploited by this worm.)
W32/Yaha-X may attempt to modify WIN.INI so that it is run when the system is restarted.
W32/Yaha-X may also drop a plugin which allows it to record keystrokes which may subsequently be emailed to an external address.
Please refer to W32/Yaha-T for further details.