W32/Yaha-Q

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Yaha-Q.

W32/Yaha-Q is a worm that most commonly arrives in an email, but may also find its way on to a computer via network shared drives.

The email that the worm arrives in can have any one of a very large selection of subject lines and message texts. The email may also be spoofed meaning, that it may not necessarily have arrived from the sender listed in the "From" field of the user's email client.

W32/Yaha-Q copies itself to the files exeloader.exe and mstask32.exe in the Windows system folder.

The following registry entries will be created to start the worm when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MicrosoftServiceManager = <system>\mstask32.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
MicrosoftServiceManager = <system>\mstask32.exe

The registry entry HKCR\exefile\shell\open\command will be updated so that the copy of the worm exeloader.exe is run whenever an EXE file is executed.

W32/Yaha-Q contains a long list of anti-virus, windows management and security applications whose processes are terminated if they are found to be running. The worm will also terminate any process that have an associated window with the any of the following titles:
Windows Task Manager
System Configuration Utility
Registry Editor
Process Viewer

HKLM\Software\Microsoft\Windows\CurrentVersion\ZoneCheck will be set to any of the following web sites:

pakistan.gov.pk
paki.com
pcb.gov.pk
comsats.com
kse.com.pk

The registry entry HKLM\Software\Microsoft\Snakes will be created and will contain the values Author, Comments, Version and Web.

W32/Yaha-Q will carry out the following four operations when executed on a Wednesday:

1) Modify the Internet Explorer start page via the registry entry
HKU\Software\Microsoft\Internet Explorer\Main\Start Page. The new start page will be http://www.indiansnakes.cjb.net.

2) Append a link to the web site http://www.indiansnakes.cjb.net to all HTM and HTML files found in the folder inetpub/wwwroot/.

3) Spread to network shares.

4) Create a randomly named text file in the Windows folder containing any one of the following five blocks of text:

"=================================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs
------------------------
sNAkE p0iSoN wiLL fUCk pAKIs
n0w wE aRe a tEAm..
bEWarE oF tHe p0iSoN oF tHe snAKeS..

bACK oFF paKI hAckERs,uR dAyS aRe oVeR..
pAkIsTaN's IT fUtuRe iS iN uR hANd..
U sToP..wE sToP..

u sTarTeD.. wE fInIshED...
=================================================

bY R0xx,c0bra,dEviL inCArNatE
visIT uS : http://indiansnakes.cjb.net"

"=================================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs
---------------------------
thiS iS juST thE begiNNinG..
s00000 mUcH t0 c0mE..
n0 moRe pAK shiT wiLL be toleRATeD..
tiME f0r somE payBACK..

thERe iS nothING likE teAM w0rk..

iNDiAN snAKeS wiTH hARD p0iSoN..
wE wiLL bE BACk....
=================================================
<> iNDiAn snAKeS <>
* c0Bra
* R0xx
* kiNG c0Bra
* snaKeEyEs
* dEViL inCARnATe

http://indiansnakes.cjb.net"

"=================================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs
-------------------------
iNdIaN IT exPeRTs.. aRe u bUSy eArNiNg m0nEy ???
d0 s0mEthInG f0r uR c0untRY yaaaaar...
c0mE aNd w0rK wIth uS..

bUt hEy wE aInT aNy IT eXpeRTs.. wHy ???
bEcAuSE wE d0nT hAvE ceRtiFicAtEs wHiCh u hAvE b0ugHt..

aLL wE aRe... wE aRe tHe gReAt iNdiAnS
d0 u tHinK wE aRe g00d..
tHeN d0 a faVouR f0R uS.. juSt rEspEcT uS..
aND exPLaiN t0 uS.. whY u R n0t rEtaLiaTinG t0 pAkI hAckErS..

n0 0thEr sHiTs nEEdEd..
----------------------------------------------------------
R0xx <qph@achayans.com>
c0bra <c0bra@linuxmail.org>
dEviL inCaRnaTE <666@achayans.com>
==================================================
http://www.indiansnakes.cjb.net"

"========================================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs
------------------------
to gigabyte :: chEErS pAL, kEEp uP tHe g00d w0rK..buT W32.HLLP.YahaSux is.. lolz ;)

to Mr Roger Thompson ::
| [technical director of malicious code research for TruSecure Corp]
| --------------------------------------------------------------
| wE arE n0t p0litiCaLy m0tiVatEd sIr...
| wE aRe jUsT rEtaLiaTinG t0 pAkI hAckErS aNd tHeiR sHiT hAcktIviSm..
| hahha Yaha.K suCCessfuLL by lUck ??? eVeR heARd s0meThinG liKe thiS
| a w0rM maDe anD spReaD bY luCk...hehehe lolz..
| aNd fiNallY wE kn0w dAmN weLL wHaT tHe heLL wE aRe doinG...
| thE w0rlD pUshEd uS to tHe dArK siDe..cAnT hElp iT.. no reTReaT no suRRenDeR
| --------------------------------------------------------------

=========================================================

bY R0xx ,c0bra,dEviL inCArNatE
viSIt uS : http://indiansnakes.cjb.net"

"==============================================
iNDiAn snAKeS pReSAnTs : W32/yAHA 2.00
wE aRe tHe gREaT inDIaNs..
------------------------------------------
ab0uT Yaha 2.00 :
maIn miSsIon iS t0 dd0s 5 paKi weBshits..
fuCk paKi sYstEmS bY sEndinG eXploitEd daTa pAckeTs..

deDIcaTed to :
* Trend Micro Corp ( f0r exceLLeNT anaLYsiS lolz ;) )
* Klez auTHoR
* SQL Slammer auTHoR
* inDIan haCKeRs & VXeRs
* inDiAn s0 caLLeD IT eXpeRTs
* pe0pLeS wh0 fiGHt agAINsT coRRupti0n ( i guEss itS alm0st NULL )
* aLL mEmbERs of iNDiAn sNAKeS
* t0 mY bEsT friENd

thIs iS a waR beTweeN inDia & paK hAckeRS..
n0 c0untrY shouLD gEt inVolvEd..
------------------------------------------
<<>> R0xx <<>>
http://www.indiasnakes.cjb.net
<qph@achayans.com>"