Antivirus and Security Software from Sophos

Sophos blogs

W32/Yaha-P

Aliases
  • I-Worm.Lentin.m
  • W32/Yaha.V
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Yaha-P is a worm from the Yaha family.

Preliminary analysis shows that W32/Yaha-P shares many of the characteristics of W32/Yaha-E (currently the most prevalent variant in this family), including:

  • Sending out email using its own SMTP client

  • Terminating Task Manager to make it hard to stop the worm's process

  • Using a wide range of attachment names

  • Using realistic (though not business-like) email message text

  • Terminating a range of security and anti-virus programs

Note that W32/Yaha-stores itself on your hard disk under different file names to those used by W32/Yaha-E. W32/Yaha-P places the files mstask32.exe and exeloader.exe into your system folder. These files are marked as hidden to make them less noticeable. W32/Yaha-P is a worm from the Yaha family.

Preliminary analysis shows that W32/Yaha-P shares many of the characteristics of W32/Yaha-E (currently the most prevalent variant in this family), including:

  • Sending out email using its own SMTP client

  • Terminating Task Manager to make it hard to stop the worm's process

  • Using a wide range of attachment names

  • Using realistic (though not business-like) email message text

  • Terminating a range of security and anti-virus programs

Note that W32/Yaha-stores itself on your hard disk under different file names to those used by W32/Yaha-E. W32/Yaha-P places the files mstask32.exe and exeloader.exe into your system folder. These files are marked as hidden to make them less noticeable.

W32/Yaha-P changes the registry value:

HKCR\exefile\shell\open\command\(Default)

so that the copy of the worm in the file exeloader.exe is triggered every time you launch an EXE file.

W32/Yaha-P also adds the registry value:

MicrosoftServiceManager="\yoursystemfolder\mstask32.exe"

to the registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

This runs the worm automatically when you start up your PC.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer