W32.Yaha@mm

Printer Friendly Page

Discovered: February 15, 2002
Updated: February 13, 2007 11:55:57 AM
Type: Worm


W32.Yaha@mm is a mass-mailer that sends itself to all the email addresses it finds in the Windows address book and in the files with the extension of .ht*.
This worm copies itself to the files, C:\Recycled\Msscra.exe and C:\Recycled\Msmdm.exe.

Antivirus Protection Dates

  • Initial Rapid Release version February 19, 2002
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version February 19, 2002
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date February 20, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Douglas Knowles

Discovered: February 15, 2002
Updated: February 13, 2007 11:55:57 AM
Type: Worm


When W32.Yaha@mm is executed, it does the following:

  • Sends itself to all the email addresses it finds in the Windows address book. It does this by first copying the address book file to the file C:\Windows\WWW.dll. Then, it searches that file for an email address, which it then stores in the file, C:\Windows\Screenback.dll.

  • Sends email to all the addresses it finds within files in the Cache folders, with the file extension .ht*. The worm stores these email addresses in the file, C:\Windows\Screen.dll.

  • Sets itself to run when any other executable files are run, by modifying the (Default) value of the registry key:
    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

    to read:

    c:\recycled\msmdm" %1 %*"

    instead of:

    " %1 %*".

  • Will attempt to send mail using information from the registry key:
    HKEY_CURRENT_USER\Software\Microsoft\
    Internet Account Manager\Accounts\00000001

    or, if it cannot connect to the email server listed in that registry key, it will use one of the following:
    • webproxy.teaorcoffee.com.tw
    • supab.stn.sh.cn
    • sitic.com.cn
    • server.benmoss.com
    • pokkant1.pokka.com.sg
    • pdc.hrserve.com.tw
    • outmail.dongfang-china.com
    • ns.sillim.hs.kr
    • ns.binter.cl
    • microimportservice.com
    • mailsvr.hanace.co.kr
    • mailserver.kaimi.com.cn
    • mail.yinda.com.cn
    • mail.win-tex.com
    • mail.pusanpaik.or.kr
    • mail.cmr.com.cn
    • mail.clinicasanborja.com.pe
    • luckybusan.com
    • linux2.ele-china.com
    • crato.urca.br
    • ahbb.net
    • ntserver1.pascon.com
    • toad.com
    • mailinx.nettlinx.com
    • www.sztge.com.cn

    The email message will have an attachment named Valentin.scr.

    The From field is a random-selected email address and may not be the legitimate sender.

  • Also copies itself to the files, C:\Recycled\Msscra.exe and C:\Recycled\Msmdm.exe.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Douglas Knowles

Discovered: February 15, 2002
Updated: February 13, 2007 11:55:57 AM
Type: Worm


Delete the files detected as W32.Yaha@mm and reverse the changes that it made to the registry.

NOTE: If the worm has run, in most cases you will need to edit the registry before you can run LiveUpdate, or download the updated definitions and run the scan.

Removing this worm

  1. Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
    • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
    • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

      The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

  2. Start Norton AntiVirus and make sure that it is configured to scan all the files. For instructions, read the document, "How to configure Norton AntiVirus to scan all files.
  3. Run a full system scan.
  4. Delete all the files detected as W32.Yaha@mm. Make sure that the following are deleted:
    • C:\Recycled\Msscra.exe
    • C:\Recycled\Msmdm.exe
    • C:\Windows\WWW.dll
    • C:\Windows\Screenback.dll
    • C:\Windows\Screen.dll


Editing the registry
If the worm is executed, it modifies the registry so that an infected file is executed every time you run a .exe file. Follow these instructions to fix this.

Copying Regedit.exe to Regedit.com
Because the worm modified the registry so that you cannot run the .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run it.
  1. Do one of the following, depending on the operating system you are running:
    • Windows 95/98 users: Click Start, point to Programs, and then click MS-DOS Prompt.
    • Windows ME users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
    • Windows NT/2000/XP users:
      1. Click Start, and click Run.
      2. Type the following, and then press Enter:

        command

        A DOS window opens.

      3. Type the following, and then press Enter:

        cd \winnt

      4. Proceed to the next step.

  2. Type the following, and then press Enter:

    copy regedit.exe regedit.com

  3. Type the following, and then press Enter:

    start regedit.com

A. Proceed to the section, "Editing the registry and removing keys and changes," only after you have completed the previous steps.

NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed the Registry Editor, close the DOS window.

Editing the registry and reversing the changes

CAUTION : We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Make sure that you modify only the keys specified in this document. For more information, read, "How to back up the Windows registry ," before proceeding with the following steps. If you are concerned that you cannot perform these steps, then do not proceed. Consult a computer technician for more information.
  1. Navigate to and select the following key:

    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

    CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with a .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
    Do not modify the HKEY_LOCAL_MACHINE\Software\Classes.exe key.
    Do
    modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey shown in the following figure:


    <<=== NOTE: This is the key that you need to modify.

  2. Double-click the (Default) value in the right pane.
  3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

    NOTE: On Win95/98/Me and Windows NT systems, the Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

    ""%1" %*"

    On Windows 2000/XP systems, the addtional quotation marks will not appear. On these systems, the (Default) value should look exactly like this:

    "%1" %*

  4. Make sure you completely delete all the value data in the command key, prior to typing the correct data. If a space is accidentally left at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>."
  5. Exit the registry editor.


Writeup By: Douglas Knowles