high
Summary
Summary
Action- More Information
| Included in our products from | February 2003 (3.66) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Yaha-L.
More Information
W32/Yaha-L creates three files in the system folder: WinServices.exe, nav32_loader.exe and tcpsvc32.exe. All these are exact copies of the worm.
W32/Yaha-L adds the following values to your registry, setting them to run WinServices.exe when Windows starts up or when the infected user logs on to the network:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winservices
="%SYSFOLDER%\WinServices.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winservices
="%SYSFOLDER%\WinServices.exe"
W32/Yaha-L also sets:
HKCR\exefile\shell\open\command\(Default)
=""%SYSFOLDER%\nav32_loader.exe" "%1" %*"
This causes W32/Yaha-L to be run whenever you launch a file with an EXE extension.
Once executed, W32/Yaha-L stays resident in memory as a process which is not visible in the task list. The worm takes active measures against anti-virus software, including:
- automatically resetting the registry modifications if they are changed
- actively terminating a range of anti-virus, firewall and internet service programs
- actively terminating REGEDIT
Like other Yaha variants (e.g. W32/Yaha-A), the worm sends out emails containing copies of itself. These emails have a range of subject lines, attachment names, sender addresses and body texts, using a mixture of topics relating to hacking, love, hate and porn.
On the 25th of March and the 22nd of May this virus will display a message box containing the text "Happy Birthday Dear". Also the operation of the mouse buttons will be swapped.
On a Wednesday W32/Yaha-L will perform the following three actions:
- set the hidden attribute on all files and folders in the Personal Shell Folder, usually My Documents
- create a text file with a random six character name on the Desktop containing one of five messages each of which begin "W32.@YerH$.B"
- change the default Internet Explorer start up page via the registry entry HKLM\Software\Microsoft\Internet Explorer\Main to one of the following web sites:
www.hrvg.tk
www.hackersclub.up.to
geocities.com/snak33ys
www.unixhideout.com
www.hirosh.tk
www.neworder.box.sk
www.blacksun.box.sk
www.coderz.net
www.hackers.com/html/neohaven.html
www.ankitfadia.com
The non-viral file Winloader32.dll will be created in the Windows system folder and should be deleted. Also the registry entry HKLM\Software\Microsoft\WinVer
will be created with a default value containing six random lowercase characters.
Finally W32/Yaha-L will execute a denial of service attack against a Pakistani government website, infopak.gov.pk.
|
