high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Yaha-A.
More Information
W32/Yaha-A is an internet worm which spreads using its own SMTP engine. The worm arrives in an email message with the following characteristics:
Subject:
Melt the Heart of your Valentine with this beautiful Screen saver
or
Fw: Melt the Heart of your Valentine with this beautiful Screen saver
Attachment: valentin.scr
If the attached program is opened it runs as a screen saver, but also copies itself to C:\recycled with the filenames msmdm.exe and msscra.exe.
The worm changes the registry key
HKCR\exefile\shell\open\command
so that the worm file msmdm.exe is run before any file with the extension EXE.
W32/Yaha-A uses the Windows address book to find email addresses to send itself to. Email addresses will also be extracted from files with the extension HT*. Addresses found are stored in the files screendback.dll and screend.dll.
The SMTP server used to send the emails is chosen either from the registry or from the following list inside the worm body:
webproxy.teaorcoffee.com.tw
supab.stn.sh.cn
sitic.com.cn
server.benmoss.com
pokkant1.pokka.com.sg
pdc.hrserve.com.tw
outmail.dongfang-china.com
ns.sillim.hs.kr
ns.binter.cl
microimportservice.com
mailsvr.hanace.co.kr
mailserver.kaimi.com.cn
mail.yinda.com.cn
mail.win-tex.com
mail.pusanpaik.or.kr
mail.cmr.com.cn
mail.clinicasanborja.com.pe
luckybusan.com
linux2.ele-china.com
crato.urca.br
ahbb.net
ntserver1.pascon.com
toad.com
mailinx.nettlinx.com
www.sztge.com.cn
|
