W32/Yaha-E

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Yaha-E.

W32/Yaha-E is a worm which spreads via email. The worm has its own SMTP client software and uses either an SMTP server found by examining the Windows registry or one from a list contained within the worm itself.

The email sent by the worm is highly variable and may contain a spoofed "From" field meaning that the source of the email as displayed by the user's email client is not necessarily the email's genuine origin.

The subject of the email is created from a combination of words and phrases from the following list:
searching for true Love
you care ur friend
Who is ur Best Friend
make ur friend happy
True Love
Dont wait for long time
Free Screen saver
Friendship Screen saver
Looking for Friendship
Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worryy
Ur My Best Friend
Say 'I Like You' To ur friend
Easy Way to revel ur love
Wowwwwwwwwwww check it
Send This to everybody u like
Enjoy Romantic life
Let's Dance and forget pains
war Againest Loneliness
How sweet this Screen saver
Let's Laugh
One Way to Love
Learn How To Love
Are you looking for Love
love speaks from the heart
Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship
Check ur friends Circle
Friendship
how are you
U r the person?
Hi
U realy Want this
Romantic
humour
New
Wonderfool
excite
Cool
charming
Idiot
Nice
Bullshit
One
Funny
Great
LoveGangs
Shaking
powful
Joke
Interesting
Interesting
Screensaver
Friendship
Love
relations
stuff
to ur friends
to ur lovers
for you
to see
to check
to watch
to enjoy
to share

The message text begins:

"Hi dear
check the attach
see u"

"Hi
Check the Attachment ..
See u"

"Attached one Gift for u.."

"wOW CHECK THIS"

"Check the attachment"

"See the attachement"

"Enjoy the attachement"

or

"More details attached"

The remainder of the message may contain the following text resembling a
forwarded email. The From and Subject fields of the forwarded message are
also variable but the message will always contain the text:

"This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from <web address> to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

* To remove yourself from this mailing list, point your browser to:
<web address>
* Enter your email address (<sender's address>) in the field provided
and click "Unsubscribe".

OR...

* Reply to this message with the word "REMOVE" in the subject line.

This message was sent to address <sender's address>
X-PMG-Recipient: <sender's address>
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>"

The attachment filename is made up of three parts- a name and two extensions.

The name is chosen from:

screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullshitscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
fucker
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love

The first extension is chosen from:

doc
mp3
xls
wav
txt
jpg
gif
dat
bmp
htm
mpg
mdb
zip

The second extension is chosen from:

pif
bat
scr

Alternatively an email may be sent that will appear to come from the MAILER-DAEMON of the recipients domain,
eg MAILER-DAEMON@domain.com.

This email will have the subject line

"Undelivered Mail Returned to Sender -<random name>".

The body of the email will resemble the type of message recieved when an email cannot be delivered.

"This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed: <random address>
For further assistance, please contact <postmaster@domain.com>
If you do, please include this problem report. You can delete your own
text from the message returned below.
Copy of your message, including all the headers is attached."

The header shown in the message text is fake; the attachment is a copy of the worm.

In all cases the worm may contain code that exploits an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express and Microsoft Internet Explorer. Microsoft has issued a patch which secures against this vulnerability which can be downloaded from Microsoft Security Bulletin MS01-027.

The worm also creates a copy of itself in the folder

C:\Recycled
C:\Recycler
or
C:\<Windows>

with a name comprising four random lower case characters.
The name of this copy is then added to the registry entry

HKCR\exefile\shell\open\command\default

to ensure that the worm is run each time a program with an EXE extension is run. The worm will check this registry setting several times a minute and if the infected setting is not found then it will be reset. Whilst checking the registry setting the worm will also check to see if the Windows Task Manager is active and will close it down if this is the case.

Two files are created in the Windows folder. One has a DLL extension and an eight character name created from the same four characters used for the copy of the worm. This file contains a list of email addresses found on the infected computer. Addresses are searched for in Yahoo Messenger, MSN and ICQ contact lists, the Windows address book and files with an extension matching HT* .
The second file has the same name as the copy of the worm and a TXT extension. This is a simple text file containing the text

"<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

iNDian sNakes pResents yAha.E

iNDian hACkers,Vxers cOme & wORk wITh uS & fUCk tHE GFORCE-pAK shites

bY

sNAkeeYes,cOBra"

The worm will attempt to disable security software by terminating any of the following processes:

SCAM32
SIRC32
ZONEALARM
LOCKDOWN2000
AVP.EXE
CFINET32
CFINET
SAFEWEB
WEBSCANX
ANTIVIR
MCAFEE
NORTON
FP-WIN
IOMON98
PCCWIN98
F-PROT95
F-STOPW
PVIEW95
NAVWNT
NAVRUNR
NAVLU32
NAVAPSVC
SYMPROXYSVC
RESCUE32
NISSERV
ATRACK
IAMAPP
LUCOMSERV
NAVW32
NAVAPW32
VSSTAT
VSHWIN32
AVSYNMGR
AVCONSOL
WEBTRAP
POP3TRAP
PCCMAIN
PCCIOMON

When the worm is first run it will imitate a screen saver by repeatedly displaying the following messages on the screen in various colours:

U r so cute today "!"!
True Love never ends
I like U very much!!!
U r My Best Friend

Once W32/Yaha-E has been active for ten minutes it will attempt to copy
itself to Network shares with names matching:

WINDOWS
WIN98
WIN95
WINNT
WIN
WINME
WINXP

The worm will be copied to the file MSTASKMON.EXE and the file win.ini will
be updated with a run command to execute the worm when Windows starts up.

Every 30 seconds W32/Yaha-E will attempt to connect to the website
http://www.pak.gov.pk.

A copy of the attachment in base64 encoded format is created in the folder C:\Windows\Temp with the filename kitkat.