Some feared the Yaha.K worm would make a comeback today after festering for two weeks during the lazy closing days of 2002.
Those fears apparently won't be realized, experts said this morning, as the world returned to work from the Christmas and New Year holidays.
Yaha.K is far from dead, but experts said it's not likely to be much of an issue for corporate users. In fact, Network Associates' McAfee Security was considering downgrading its risk assessment of Yaha from medium to low for corporate users if its progress continued as expected, said Vincent Gullotto, vice president of McAfee AVERT (antivirus emergency response team). Yaha.K is more of a threat to home users who have not updated their virus defenses, he said.
Many enterprises are already blocking the attachment types Yaha is currently using to spread, curtailing its spread among businesses. The worm arrives as an attachment to an e-mail message as an executable, screensaver or .com file. Many companies already block these file-extension types at the gateway. "In the majority of cases, businesses won't have any use for the files," Gullotto said.
Such an approach isn't new, Gullotto said. In olden times, anyone could enter a fortress, but snipers were positioned to pick off people who shouldn't be there. Over time, rulers realized that stopping unwelcome people at the gate was easier. "They didn't need snipers anymore," he said.
Stripping file attachments at the e-mail gateway
Technically, Yaha.K was nothing new. The worm drops three executable files into the system folder of infected machines. One executable tries to disable processes associated with antivirus and firewall software, which could pave the way for infection from other worms and viruses.
Yaha.K's social engineering wasn't super savvy either. Yaha.K entices recipients by using a variety of subject lines playing off interest in sports and computing in addition to more prurient interests. The messages carrying the worm explore similar themes.
Yaha.K's success could be chalked up to its timing. It first surfaced around Dec. 21 on the cusp of the holiday season. People may have been more likely to open the attachment more than at other times of the year because a lot of jokes and other frivolities are sent during the holidays. Gloucester, England-based e-mail scanning outsourcer MessageLabs tracks jokes in addition to viruses and worms. "We have seen a massive increase in such things at the end of the year," said Alex Shipp, senior antivirus technologist at MessageLabs.
Users who followed initial reports of the worm may have been a little confused. Originally, MessageLabs named the worm Yaha.M, but amended it to comply with the name used by the WildList, the definitive list of viruses and worms. The confusion came about because the same variant of the worm was packed differently. Virus writers use packing programming to compress executable code to make their creations harder to detect.
FOR MORE INFORMATION:
Feedback on this story? Send your comments to News Writer Edward Hurley