You cannot accuse the author of the Yaha worm of having idle hands.
Believed to be Indian, the author has written every variant of the worm, which first appeared in February, according to Roger Thompson, technical director of malicious code research for TruSecure Corp.
The latest version of the worm, Yaha.K, was first detected Dec. 21, and its spread has been constant in the New Year, with close to 11,000 copies captured daily since Jan. 2, according to e-mail scanning service provider MessageLabs. As of 12:30 GMT today, more than 3,000 copies of Yaha had been trapped.
Yaha spreads via e-mail attachments disguised as .exe, .scr and .com file types, which are generally blocked by most enterprises at the gateway. Experts believe the worm is not a huge concern for businesses, and Yaha is finding success among home users, who could be enticed to open the infected attachments by a variety of subject lines and message bodies.
Yaha also has a political motivation. Part of its payload is to launch a denial-of-service attack against a Pakistani government Web site, infopak.gov.pk.
However, Thompson said, the real danger may be in what the author does next. So far, Yaha has been a mass-mailing worm. It drops three executable files that try to shut down antivirus and firewall software, leaving machines exposed to attack from other viruses. It also exploits a MIME (multipurpose Internet mail extensions) vulnerability in Outlook to send itself out to addresses stored in the Windows address book. It also spreads to addresses recorded in cache folders of .NET and MSN messengers and in Yahoo Messenger profile folders.
Thompson said that most enterprises with antivirus defenses that are up-to-date are safe from Yaha. He warns, however, to beware of the author's next move.
"The author has been busy. He appears to be an Indian national sniping at the Pakistan government," Thompson said. "The guy has got an interest in it; he's motivated. He realized he almost got lucky with this one in that it's spreading. It's troubling that he might pursue other vulnerabilities."
The MIME vulnerability in Windows is an old one and patches have existed for months. It has also been the exploit of choice for several other pieces of malicious code: Braid, Frethem, Elkern, Bugbear and even Nimda, among others.
Thompson said Yaha is a compiled virus, leading him to believe the same writer is responsible for each variant because he would need access to the source code. MessageLabs has also explored the political motivations of this worm and suggests it could be a group of authors working on Yaha, sharing the code amongst themselves.
"I would rather think the author had success with this variant by accident," Thompson said. "It's been very effective against one [vulnerability] and no other. If he understood what he was doing, he would have been beating several products. I think he got lucky.
"The question is, what will be next?"FOR MORE INFORMATION: