high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Yaha-B.
More Information
W32/Yaha-B is a Win32 worm which makes two copies of itself in C:\Recycled. The first copy has a name made up of five randomly generated characters and an EXE extension; the second has the same name with an extra "f" on the end.
The worm then sets the following registry value so that the worm is run first whenever an EXE file is executed:
HKCR\exefile\shell\open\command\(default)
= "C:\Recycled\<name>.exe %1 %*"
When the worm is executed it will start a screensaver that will manipulate the Desktop display. The user can exit this screen saver in the usual manner.
W32/Yaha-B sends itself as an attachment to emails with the following characteristics:
Subject line:
Enjoy this friendship-joke Screen Saver!!!!
or
Fw : Enjoy this friendship-joke Screen Saver!!!!
or
Have a nice day!!!!
Message body:
This email is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. Enjoy this friendship-joke Screen Saver and Check ur friends circle... Send this screensaver from www.friendship.com to everyone you consider a
FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a cirle of friends.
*To remove yourself from this mailing list, point your browser to: http://friendship.com/remove?freescreensaver *Enter your email address (<user's email address>) in the field provided and click "Unsubscribe". OR... *Reply to this message with the word "REMOVE" in the subject line. This message was sent to address <user's email address> X-PMG-Recipient: <user's email address>
Attached file:
Friends.scr
The emails are sent to addresses from the Windows Address Book (WAB) and to addresses found in *.HT* files.
This worm will also attempt to send SMS messages to <number>@bplmobile.com and <number>@escotelmobile.com, where <number> is randomly generated apart from an initial five digit code.
The Internet Explorer start up page will be changed to one of the following seven addresses: www.malayalmanorama.com, www.asianetglobal.com,
www.kerala.com, www.india.com, www.malayalamchannel.com, www.sunnt.com/suryatv, www.achayans.com.
A plain text file with the same randomly generated name as the copy of the worm in C:\Recycled will be dropped in the Windows directory.
|
