Yaha worm no longer a business threat

ity experts have downgraded the threat to enterprises posed by the Yaha.K worm.

Some feared the Yaha.K worm would make a comeback today after festering for two weeks during the lazy closing days of 2002.

Those fears apparently won't be realized, experts said this morning, as the world returned to work from the Christmas and New Year holidays.

Yaha.K is far from dead, but experts said it's not likely to be much of an issue for corporate users. In fact, Network Associates' McAfee Security was considering downgrading its risk assessment of Yaha from medium to low for corporate users if its progress continued as expected, said Vincent Gullotto, vice president of McAfee AVERT (antivirus emergency response team). Yaha.K is more of a threat to home users who have not updated their virus defenses, he said.

Many enterprises are already blocking the attachment types Yaha is currently using to spread, curtailing its spread among businesses. The worm arrives as an attachment to an e-mail message as an executable, screensaver or .com file. Many companies already block these file-extension types at the gateway. "In the majority of cases, businesses won't have any use for the files," Gullotto said.

Such an approach isn't new, Gullotto said. In olden times, anyone could enter a fortress, but snipers were positioned to pick off people who shouldn't be there. Over time, rulers realized that stopping unwelcome people at the gate was easier. "They didn't need snipers anymore," he said.

Stripping file attachments at the e-mail gateway is a similar approach. For most businesses there aren't any good reasons to send executables, screensavers or .com files back and forth. If there are then they are ways safely send them so as to verify the files are legitimate, Gullotto said.

Technically, Yaha.K was nothing new. The worm drops three executable files into the system folder of infected machines. One executable tries to disable processes associated with antivirus and firewall software, which could pave the way for infection from other worms and viruses.

Yaha.K's social engineering wasn't super savvy either. Yaha.K entices recipients by using a variety of subject lines playing off interest in sports and computing in addition to more prurient interests. The messages carrying the worm explore similar themes.

Yaha.K's success could be chalked up to its timing. It first surfaced around Dec. 21 on the cusp of the holiday season. People may have been more likely to open the attachment more than at other times of the year because a lot of jokes and other frivolities are sent during the holidays. Gloucester, England-based e-mail scanning outsourcer MessageLabs tracks jokes in addition to viruses and worms. "We have seen a massive increase in such things at the end of the year," said Alex Shipp, senior antivirus technologist at MessageLabs.

Users who followed initial reports of the worm may have been a little confused. Originally, MessageLabs named the worm Yaha.M, but amended it to comply with the name used by the WildList, the definitive list of viruses and worms. The confusion came about because the same variant of the worm was packed differently. Virus writers use packing programming to compress executable code to make their creations harder to detect.


FOR MORE INFORMATION:

SearchSecurity news exclusive: "Experts downplay Yaha variant damage"

SearchSecurity news exclusive: "The virus name game"


Feedback on this story? Send your comments to News Writer Edward Hurley

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close