Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
- Discovered:
- November 12, 2003
- Updated:
- February 13, 2007 12:13:49 PM
- Also Known As:
- W32/Yaha.y@MM [McAfee]
- Type:
- Worm
- Systems Affected:
- Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
W32.Yaha.AF@mm is a variant of the W32.Yaha.T@mm worm that does the following:
- Terminates some antivirus and firewall processes.
- Uses its own SMTP engine to email itself to all the contacts in the Windows address book, MSN and Windows Messenger, Yahoo Pager, ICQ Pager, as well as in all the files whose extensions contain the letters HT.
- Attempts to spread itself through shared network folders and mapped drives.
- Attempts to spread itself through the KaZaA file-sharing network.
- Installs a keylogger and emails the logs to the author.
- Performs Denial of Service (DoS) attacks to some specified and random hosts on TCP ports 135, 139, and 445.
The email message has a randomly chosen subject line, message, and attachment name. The attachment will have a .com, .exe, or .zip file extension.
This threat is written in the Microsoft Visual C++ programming language and is compressed with UPX.
Antivirus Protection Dates
- Initial Rapid Release version November 13, 2003
- Latest Rapid Release version September 28, 2010 revision 054
- Initial Daily Certified version November 13, 2003
- Latest Daily Certified version September 28, 2010 revision 036
- Initial Weekly Certified release date November 13, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 0 - 49
- Number of Sites: 0 - 2
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Moderate
Damage
- Damage Level: Medium
Distribution
- Distribution Level: High
Writeup By: Yuhui Huang
