Experts downplay Yaha variant damage |
 |
By Edward Hurley, News Writer
02 Jan 2003 | SearchSecurity.com |
|
|
The last few days of 2002 saw a new variant of an old worm resurface, though virus experts are downplaying how much damage it will do.
A new variant of the Yaha worm, Yaha.K, surfaced more than a week ago. E-mail scanning outsourcer MessageLabs has intercepted 36,097 total copies of it as of 11 a.m. EST Thursday. More than 8,000 copies of it were caught on Monday. It seems to have peaked as the numbers each day since have decreased. On Monday, Symantec Security Response upgraded Yaha.K from a Category 2 to a Category 3 because of all the submissions it was receiving.
The worm drops three executable files (WinServices.exe, nav32_loader.exe and tcpsvc32.exe) into the system folder of infected machines. One executable tries to disable processes associated with antivirus and firewall software. Another targets the REGEDIT function.
If infected, a system could be susceptible to remote attack because firewall software is disabled, said Chris Wraight, technology consultant at antivirus vendor Sophos. Systems could also be infected by other viruses because antivirus protection is shut off.
So far, Sophos hasn't fielded many calls about the worm, Wraight said. He suggests it may be more of a home-user issue. Sophos only sells antivirus protection to business users.
After infecting a system, Yaha then sends copies of itself to addresses it plucks from the Windows Address Book, Yahoo Messenger, MSN and .NET Messenger Services and files with extensions containing the string "HT."
Yaha uses a variety of subject lines to entice recipients to open the attachment carrying a copy of itself. Many purport to be free screensavers while others play to interests in sports and computing in addition to more prurient interests. The message text also plays off similar themes. Here is a sampling of the subject lines:
- Sample Screensavers
- Free Screensavers 4 U
- Patch for Klez.H
- Patch for Klez.H
- Patch for Elkern.gen
- WWE Screensavers
- Free Screensavers
- Free XXX
- Demo KOF 2002
- Wanna Hack ??
- Screensavers from Club Jenna
- One Hacker's Love
- One Virus Writer's Story
- Wanna be a HE-MAN
- We want peace
- Free Screensavers 4 U
- XXX Screensavers 4 U
- Hardcore Screensavers 4 U
- Sample Playboy
- Check it out
- Are you a Soccer Fan ?
- Wanna be like a stone ?
- Learn SQL 4 Free
- Free Win32 API source
Yaha comes attached with as a screensaver (.scr), executable (.exe) or .com file. Stripping attachments containing those file types (a good practice in general) would help prevent infection. Here is a sampling of the file names:
- Love.scr
- Project.exe
- Romantic.scr
- FixKlez.com
- FixKlez.com
- FixElkern.com
- Cupid.scr
- Notes.exe
- MyPic.scr
- FreakOut.exe
- THEROCK.scr
- Britney_Sample.scr
- zXXX_BROWSER.exe
- Love.scr
- Valentines_Day.scr
- Beautifull.scr"
- Ways_To_Earn_Money.exe
- MyProfile.scr
- My_Sexy_Pic.scr
- KOF.exe
- King_of_Figthers.exe
- KOF2002.exe
- KOF_The_Game.exe
- KOF_Demo.exe
- KOF_Sample.exe
- KOF_Fighting.exe
- MyPic.scr
- Hacker.scr
- Romeo_Juliet.scr
- Free_Love_Screensavers.scr
- Ravs.scr
- zDenka.scr
- Jenna_Jemson.scr
- Sexy_Jenna.scr
- Sweetheart.scr
- up_life.scr
- World_Tour.scr
- Hacker_The_LoveStory.scr
- VXer_The_LoveStory.scr
- Services.scr
- Body_Building.scr
- Peace.scr
- Screensavers.scr
- xxx4Free.scr
- Hardcore4Free.scr
- Playboy.scr
- Plus2.scr
|
