W32/Yaha-Y

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Yaha-Y.

W32/Yaha-Y is a worm which spreads by copying itself to network shares and by emailing itself to addresses found within files and registry entries on the local computer.

The email subject line, message text and attachment filename are randomly selected from internal lists. Example emails are as follows:

Attached File: Fixblastz.com
Subject line: Fix for the latest W32/Blaster.Z
Message text: Dear customer, We are enclosing Fix for W32.Blaster.Z as per your request.

Attached File: Fixblastz.zip
Subject line: Fix for the New Worm Threat
Message text: Dear customer, We are enclosing Fix for W32.Blaster.Z as per your request.

Attached File: FixBlast.com
Subject line: Fix for W32.Blaster/Welcha
Message text: Dear customer, We are enclosing Fix for both Welcha and Blaster worms as per your request.

Attached File: wicked.zip
Subject line: Wicked Screen Saver
Message text: Hi, This is the most wicked screen saver i have ever
seen.Enjoy!!!

Attached File: MS-Q3526.com
Subject line: Critical Updates
Message text: Dear customer, Thanks for using Microsoft products. Recent viruses have prompted microsoft to issue patches to all its customers worldwide.

Attached File: thankyou.zip
Subject line: Thank you
Message text: Please see the attached file for details.

Attached File: your_documents.zip
Subject line: Your Document
Message text: See the attached file for your documents.

Attached File: FixBlast.zip
Subject line: Hi check your computer with this!!!
Message text: Hi, I am cutting and pasting the message i got from symantec antivirus I think the last mail you sent me was infected with W32.Blaster.
please use this tool and disinfect your machine.

Attached File: details.zip
Subject line: Details
Message text: Hi, See the attached file for details.

Attached File: FixBlast.zip
Subject line: I got an infected email from you
Message text: Hi, Your previous mail to me is infected with Blaster.

Attached File: porncrack.zip
Subject line: Crack for Porn sites
Message text: Hi, This is a new crack for porn site. Please download and check program. Bye.

Attached File: application.zip
Subject line: Your application
Message text: Please see the attached file for application details.

When first run, the worm copies itself to the Windows System folder as EXE32.EXE and MSMGR32.EXE with the hidden attributes set and creates the following registry entries to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MsManager
= <SYSTEM>\MSMGR32.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsManager
= <SYSTEM>\MSMGR32.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\MsManager
= <SYSTEM>\MSMGR32.EXE

The worm also prepends <SYSTEM>\EXE32.EXE to the following registry entries, so that EXE32.EXE is run whenever any file with an extension of EXE, COM, BAT or SCR is run or opened:

HKCU\batfile\shell\open\command
HKCU\comfile\shell\open\command
HKCU\exefile\shell\open\command
HKCU\scrfile\shell\open\command

The files Hosts and Lmhosts are dropped to the Windows folder and MSS32.DLL is dropped to the System folder.

W32/Yaha-Y copies itself as MSMGR32.EXE to StartUp folders on local and network drives, for example:

\Documents and Settings\All Users\Start Menu\Programs\Startup
\Documents and Settings\<default user>\Start Menu\Programs\Startup

The worm also copies itself to the Windows folder of network shares as EXE32.EXE and adds a new line "run=EXE32.EXE" to the [Windows] section of <WINDOWS>\Win.ini to run EXE32.EXE on startup.

Whilst the worm is active it continually tries to terminate selected anti-virus and security related processes and resets the registry entries mentioned above if they are changed or deleted.

The worm disables Regedit.exe by setting the registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
DisableRegistryTools = 1