Discovered: December 24, 2002
Updated: February 13, 2007 11:41:53 AM
Also Known As: W32/Yaha.k [McAfee], I-Worm.Lentin.i [KAV], Win32/Yaha.K@mm [GeCAD], W32/Yaha-K [Sophos], Win32.Yaha.K [CA], W32/Yaha.M-mm [MessageLabs]
Type: Worm
Systems Affected: Windows



NOTE: Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from Category 3 to Category 2 as of June 13, 2003.

W32.Yaha.K@mm is a worm that is a variant of W32.Yaha.J@mm . This worm terminates some antivirus and firewall processes. It uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and all the files whose extensions contain the letters HT. The email message has randomly chosen the subject line, message, and attachment name.

This threat is written in the Microsoft C++ language and is compressed with UPX. The uncompressed size is about 75 KB.



Antivirus Protection Dates

  • Initial Rapid Release version December 26, 2002
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version December 26, 2002
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date December 30, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Robert X Wang

Discovered: December 24, 2002
Updated: February 13, 2007 11:41:53 AM
Also Known As: W32/Yaha.k [McAfee], I-Worm.Lentin.i [KAV], Win32/Yaha.K@mm [GeCAD], W32/Yaha-K [Sophos], Win32.Yaha.K [CA], W32/Yaha.M-mm [MessageLabs]
Type: Worm
Systems Affected: Windows


When W32.Yaha.K@mm runs, it does the following:

1. Copies itself as the following files and sets the file attributes to Hidden:

    • C:\%System%\WinServices.exe.
    • C:\%System%\Nav32_loader.exe
    • C:\%System%\Tcpsvs32.exe

      NOTE: %System% is a variable. The worm locates the Windows system folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows 2000/NT/), or C:\Windows\System32 (Windows XP).
2. Adds the value:
    WinServices C:\%System%\WinServices.exe

    to the registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices

    so that the worm runs when you start Windows.
3. Configures itself to run each time an .exe file runs, by changing the default value of the registry key:
    HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
    to:
    C:\%System%\Nav32_loader.exe"%1 %*

4. Copies itself to the \Windows\System folder as one of the following files:
    • Hotmail_hack.exe
    • Friendship.scr
    • World_of_friendship.scr
    • Shake.scr
    • Sweet.scr
    • Be_happy.scr
    • Friend_finder.exe
    • I_like_you.scr
    • Love.scr
    • Dance.scr
    • Gc_messenger.exe
    • True_love.scr
    • Friend_happy.scr
    • Best_friend.scr
    • Life.scr
    • Colour_of_life.scr
    • Friendship_funny.scr
    • Funny.scr

5. Attempts to end the antivirus and firewall processes. The worm inventories the active processes, and if the name of the process contains one of the following, it attempts to end the process:
    • REGEDIT
    • ACKWIN32
    • F-AGNT95
    • SWEEP95
    • VET95
    • N32SCANW
    • _AVPM
    • LOCKDOWNADVANCED
    • NSPLUGIN
    • NSCHEDNT
    • NRESQ32
    • NPSSVC
    • NOD32
    • _AVPCC
    • _AVP32
    • NORTON
    • NVC95
    • FP-WIN
    • IOMON98
    • PCCWIN98
    • F-PROT95
    • F-STOPW
    • PVIEW95
    • NAVWNT
    • NAVRUNR
    • NAVLU32
    • NAVAPSVC
    • NISUM
    • SYMPROXYSVC
    • RESCUE32
    • NISSERV
    • VSECOMR
    • VETTRAY
    • TDS2-NT
    • TDS2-98
    • SCAN32
    • PCFWALLICON
    • NSCHED32
    • IAMSERV.EXE
    • FRW.EXE
    • MCAFEE
    • ATRACK
    • IAMAPP
    • LUCOMSERVER
    • LUALL
    • NMAIN
    • NAVW32
    • NAVAPW32
    • VSSTAT
    • VSHWIN32
    • AVSYNMGR
    • AVCONSOL
    • WEBTRAP
    • POP3TRAP
    • PCCMAIN
    • PCCIOMON
    • ESAFE.EXE
    • AVPM.EXE
    • AVPCC.EXE
    • AMON.EXE
    • ALERTSVC
    • ZONEALARM
    • AVP32
    • LOCKDOWN2000
    • AVP.EXE
    • CFINET32
    • CFINET
    • ICMON
    • RMVTRJANSAFEWEB
    • WEBSCANX
    • PVIEW
    • ANTIVIR

    Additionally, if the infected computer is a Windows NT/2000/XP system, the worm will automatically terminate the Windows Task Manager program from memory.

6. Attempts to perform a Denial of Service (DoS) attack against the Web site: www.infopak.gov.pk.


Email Routine Details

The worm uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and all the files whose extensions contain the letters HT. It attempts to use the default SMTP server of the infected computer to send mail. If the worm cannot find this information, then it uses one of the many SMTP server addresses, which are hard-coded into the worm. The email message has the following characteristics:

Subject : The subject line is one of the following:
  • Are you the BEST
  • Free Win32 API source
  • Learn SQL 4 Free
  • I Love You..
  • Wanna be like a stone ?
  • Are you a Soccer Fan ?
  • Sexy Screensavers 4 U
  • Check it out
  • Sample Playboy
  • Hardcore Screensavers 4 U
  • XXX Screensavers 4 U
  • We want peace
  • Wanna be a HE-MAN
  • Visit us
  • One Virus Writer's Story
  • One Hacker's Love
  • World Tour
  • Whats up
  • Wanna be my sweetheart ??
  • Screensavers from Club Jenna
  • Jenna 4 U
  • Free rAVs Screensavers
  • Feel the fragrance of Love
  • Wanna Hack ??
  • Sample KOF 2002
  • The King of KOF
  • Wanna Brawl ??
  • Wanna Rumble ??
  • Play KOF 2002 4 Free
  • Demo KOF 2002
  • Free Demo Game
  • Wanna be friends ??
  • Need money ??
  • Are you beautiful
  • Who is your Valentine
  • Free Screenavers of Love
  • Free XXX
  • Free Screensavers
  • WWE Screensavers
  • Freak Out
  • Wanna be friends ?
  • Things to note
  • Lovers Corner
  • Patch for Elkern.gen
  • Patch for Klez.H
  • Free Screensavers 4 U
  • Project
  • Sample Screensavers
  • Are you in Love
  • I am in Love
  • I Love You
  • You are so sweet
  • The Hotmail Hack
  • U realy Want this
  • to ur lovers
  • to ur friends
  • Find a good friend
  • Learn How To Love
  • Are you looking for Love
  • Wowwwwwwwwwww check it
  • Check ur friends Circle
  • The world of Friendship
  • Shake it baby
  • How sweet this Screen saver
  • war Againest Loneliness
  • Need a friend?
  • Say 'I Like You' To ur friend
  • love speaks from the heart
  • Let's Dance and forget pains
  • Looking for Friendship
  • True Love
  • make ur friend happy
  • Who is ur Best Friend
  • hey check it yaar
  • Check this shit
  • Hello
  • Hi

Message: The message can be one of the following:
  • hey,
    did u always dreamnt of hacking ur friends hotmail account..
    finally i got a hotmail hack from the internet that really works..
    ur my best friend thats why sending to u..
    check it..just run it..enter victim's address and u will get the pass.
  • hi,
    check the attached love screensaver
    and feel the fragrance of true love..
  • Hi,
    check the attached screensaver..
    its really wonderfool..
    i got it from freescreensavers.com
  • Hi,
    check ur friends circle using the attached friendship screensaver..
    check the attached screensaver
    and if u like it send it to all those you consider
    to be true friends... if it comes back to you then
    you will know that you have a circle of friends..
  • Hi,
    check the attached screensaver
    and enjoy the world of friendship..
  • Hi,
    are u in a rocking mood...
    check the attached scrennsaver and start shaking..
  • Hi,
    Check the attached screensaver..
  • Hi,
    Are you lonely ??..
    check the attached screensaver and
    forget the pain of loneliness
  • Hi,
    Looking for online pals..
    check the attached friend finder software..
  • Hi,
    sending you a screensaver..
    check it and let me know how it is...
  • Hi,
    Check the attached screensaver
    and feel the fragrance of true love...
  • Hey,
    I just got this wonderfull screensaver from freescreensaver.com..
    Just check it out and let me know how it is..
    I just came across it.. check out..
    =====================================================================
    Are you one of those unfortunate human beings who are desperately
    looking for friends.. but still not getting true friends with whom
    you can share your everything..

    anyway you wont feel down any more cause GC Chat Network has brought
    up a global chat and online match making system using its own GC
    Messenger. Attached is the fully functional free version of GC<BR>Instant Messenger and Match Making client..
    Just install, register an account with us and find thousands of online
    pals all over the world..
    You can also search for friends by specific country,city,region etc.

    Regards Admin,
    GC Global Chat Network System..
  • Hi,
    So you think you are in love..
    is it true love ? you may think right now that you are in
    true love but it is certainly possible that it is nothing
    but a mere infatuation to you..

    anyway to know yourself better than you have ever known check
    the attached screensaver and feel the fragrance of true love..
  • Hey pal,
    you know friendship is like a business...
    to get something you need to give something..
    though its not that harsh as business but to
    get love and care from your friends you need to give
    love,care and respect to your friends.. right {BR>
    check the attached screensaver and you will learn how to
    make your friends happy..
  • Hi,
    Its quite obvious that in our life we have numerous friends
    but.. BUT Best Friend can only be ONE.. right {BR>so can you decide who is your best friend {BR>i guess not.. cause mostly you will find that your best friend
    wont care about u like somebody else..

    anyway i found one way to find who is my best friend..
    check it..
    just check the attached screensaver.. answer some questions
    in it and also ask your best friend to answer the questions..

    ..then you will know more about him..
  • Hey pal,
    wanna have some fun in life... {BR>feel like life is too boring and monotonous..
    check the attached screensaver and bring colours
    to your black & white life.. :)
  • Hi,
    I just came across this funny screensaver..
    sending it to u.. hope u like it..
    check out and die laughing.. :)
  • <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

    This E-Mail is never sent unsolicited. If you receive this
    E-Mail then it is because you have subscribed to the official
    newsletter at the KOF ONLINE website.

    King Of Fighters is one of the greatest action game ever made.
    Now after the mind boggling sucess of KOF 2001 SNK proudly
    presents to you KOF 2002 with 4 new charecters.
    Even though we need no publicity for our product but this
    time we have decided to give away a fully functional trial
    version of KOF 2002. So check out the attached trial version
    of KOF 2002 and register at our official website to get a free
    copy of KOF2002 original version

    Best Regards,
    Admin,KOF ONLINE..

    <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>
  • Hello,
    I just came across your email ID while searching in the Yahoo profiles.
    Actually I want a true friend 4 life with whom I can share my everything.
    So if you are interested in being my friend 4 life then mail me.

    If you wanna know about me, attached is my profile along with some of my
    pics. You can check and if you like it then do mail me.
    I will be waiting for your mail.

    Best Wishes,
    Your Friend..
  • Hello,
    Looking for some Hardcore mind boggling action ?
    Install the attached browser software and browse
    across millions of paid hardcore sex sites for free.
    Using the software you can safely and easily browse
    across most of the hardcore XXX paid sites across the
    internet for free. Using it you can also clean all
    traces of your web browsing from your computer.

    Note:The attached browser software is made exclusivley
    for demo only. You can use the software for a limited
    time of 35 days after which you have to register it
    at our official website for its furthur use.

    Regards,
    Admin.
  • Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC
  • Hello,
    The attached product is send as a part of our official campaign
    for the popularity of our product.
    You have been chosen to try a free fully functional sample of our
    product.If you are satified then you can send it to your friends.
    All you have to do is to install the software and register an account
    with us using the links provided in the software. Then send this software
    to your friends using your account ID and for each person who registers
    with us through your account, we will pay you $1.5.Once your account reaches
    the limit of $50, your payment will be send to your registration address by
    check or draft.
    Please note that the registration process is completely free which means
    by participating in this program you will only gain without loosing anything.

    Best Regards,
    Admin,

Attachment: The attachment is one of the following:
  • The_Best.scr
  • Codeproject.scr
  • SQL_4_Free.scr
  • I_Love_You.scr
  • Stone.scr
  • Sex.scrSoccer.scr
  • Real.scr
  • Plus6.scr
  • Plus2.scr
  • Playboy.scr
  • Hardcore4Free.scr
  • xxx4Free.scr
  • Screensavers.scr
  • Peace.scr
  • Body_Building.scr
  • Services.scr
  • VXer_The_LoveStory.scr
  • Hacker_The_LoveStory.scr
  • World_Tour.scr
  • up_life.scr
  • Sweetheart.scr
  • Sexy_Jenna.scr
  • Jenna_Jemson.scr
  • zDenka.scr
  • Ravs.scr
  • Free_Love_Screensavers.scr
  • Romeo_Juliet.scr
  • Hacker.scr
  • KOF_Fighting.exe
  • KOF_Sample.exe
  • KOF_Demo.exe
  • KOF_The_Game.exe
  • KOF2002.exe
  • King_of_Figthers.exe
  • KOF.exe
  • My_Sexy_Pic.scr
  • MyProfile.scr
  • Ways_To_Earn_Money.exe
  • Beautifull.scr
  • Valentines_Day.scr
  • zXXX_BROWSER.exe
  • Britney_Sample.scr
  • THEROCK.scr
  • FreakOut.exe
  • MyPic.scr
  • Notes.exe
  • Cupid.scr
  • FixElkern.com
  • FixKlez.com
  • Romantic.scr
  • Project.exe
  • Love.scr
  • friendship_funny.scr
  • Colour_of_life.scr
  • Life.scr
  • Best_friend.scr
  • Friend_happy.scr
  • True_love.scr
  • Gc_messenger_exe
  • Dance.scr
  • I_like_you.scr
  • Friend_finder_exe
  • Be_happy.scr
  • Sweet.scr
  • Shake.scr
  • World_of_friendship.scr
  • Friendship.scr
  • Funny.scr
  • Hotmail_hack_exe.scr


From: The From field may be a fake email address constructed from the following:
  • Klein Anderson
  • Codeproject
  • SQL Library
  • me2K
  • Rocking Stone
  • Super Soccer
  • Sexy Screensavers
  • Real Inc.
  • Plus 6
  • Plus 2
  • Playboy Inc.
  • Hardcore Screensavers
  • XXX Screensavers
  • Nomadic Screensavers
  • Keanu Stevenson
  • Nicolas Schwarzeneggar
  • admin@hackersclub.com
  • admin@viruswriters.com
  • admin@hackers.com
  • Paul Owen
  • Benting
  • Veronica Anderson
  • Club Jenna
  • Jenna Jameson
  • Zdenka Podkapova
  • Raveena Pusanova
  • Screensavers of Love
  • Romeo & Juliet
  • Jaucques Antonio Barkinstein
  • Cathy Kindergarten
  • KOF Online
  • Omega Rugal
  • Terry Bogard
  • Iori Yagami
  • Kyo Kusanagi
  • Clark Steel
  • Ralph Jones
  • Jasmine Stevens
  • Ross Anderson
  • John Vandervochich
  • American Beauty
  • Valentine Screensavers
  • Lovers Screensavers
  • zporNstarS
  • britneyspears.org
  • The Rock
  • Noopman
  • Susan
  • Jonathan
  • Cupid
  • McAfee Inc.
  • Norton Antivirus
  • Trend Micro
  • Romantic Screensavers
  • Jericho
  • Love Inc.

and:
  • kl@aminoprojects.com
  • admin@codeproject.com
  • free@sql.library.com
  • me@me2K.com
  • stone@esterplaza.com
  • marketing@suppersoccer.com
  • free@sexyscreensavers.com
  • sales@real.com
  • plus@real.com
  • sales@playboy.com
  • free@hardcorescreensavers.com
  • free@xxxscreensavers.com
  • kkn@k2k.comscreensavers@nomadic.com
  • nics@nomadic.com
  • paul@kqscore.com
  • btq@263.com
  • services@tcsonline.com
  • admin@clubjenna.com
  • jenna@jennajameson.com
  • zdenka@zpornstars.com
  • ravs@go2pussy.com
  • love@lovescreensavers.com
  • DNA_seraph@163.com
  • super@21cn.com
  • cathy@21cn.com
  • admin@kofonline.com
  • zhouyuye@citiz.net
  • lubing@7135.com
  • hamada@seikosangyo.com
  • luoairong@21cn.com
  • valentinescreensavers@t2k.com
  • screensavers@lovers.com
  • admin@zpornstars.com
  • newsletters@britneyspears.org
  • therock@wwe.com
  • ericpan@online.com.pk
  • samsun@online.sh.cn
  • yjworks@online.sh.cn
  • cupid@freescreensavers.com
  • av_patch@mcafee.com
  • av_patch@norton.com
  • av_patch@trendmicro.com
  • romanticscreensavers@love.com
  • caijob@online.sh.cn
  • loverscreensavers@love.com


If the system date is March 25 or May 22, the worm displays the following message and switches the functions of the left and right mouse buttons:



If the system day is Thursday, the worm performs these actions:
  1. Randomly changes the Value data of the Start Page value in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to one of these:
    • http:/ /www.unixhideout.com
    • http:/ /www.hirosh.tk
    • http:/ /www.neworder.box.sk
    • http:/ /www.blacksun.box.sk
    • http:/ /www.coderz.net
    • http:/ /www.hackers.com/html/neohaven.html
    • http:/ /www.ankitfadia.com
    • http:/ /www.hrvg.tk
    • http:/ /www.hackersclub.up.to
    • http:/ /geocities.com/snak33y3s

      or a similar Web site.
  2. Retrieves the location of the current user's documents folder from the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Explorer\Shell Folders

    and then it sets the attributes of this folder, all the subfolders in this folder, as well as all the files in this folder and its subfolders to hidden. In most cases, this folder is the \My Documents folder.
  3. Creates the text file aYeHS.txt on the Windows desktop. The attributes of the file are set to Hidden and Archive. The file contains one of the following text messages:

    ============================================================
    r0xx pReSaNt$ W32.@YerH$.B (all r1ght$ re$erv3d.. ;) )
    w3 aRe tHe gRe@t 1nD1aN$..
    ------------------------------------------------------
    m@iN mIssIoN iS t0 sPreAd tHe nAmE @YerH$
    s00 mUch t0 c0me..
    iNclUdEd DDoS c0mp0neNtS c@usE oF sHiT p@kI l@meRs

    eXp3ct th3 uNeXp3ctEd

    dEdic@t3d t0 : mY b3$t fRi3nD
    ============================================================
    >> qph@hackermail.com
    or:

    ==================================================
    W32.@YerH$.B,Made in India,
    wE aRe thE greAt iNdIaNs..
    ----------------------------
    aBouT mE :
    jUst a c0mputEr gEEk..
    i tHinK i aM sTill a sCripT kiddiE..
    eDucAtiOn : sCh00l sTudEnt..
    aBouT @YerH$.B:
    n0 dEstrucTivE paYload$ f0r inFecTeD c0mpUteRs.
    teRminAtioN oF aV + FireWaLL f0r sUrvIvaL.
    tImE dEfiNed tRigErRinG.. jUst f0r fUn.. n0 paYloaD.
    c0ntAinS bUg iN rEpliCation c0de.. no tIme t0 fiX.
    g0nNa fiX iT iN nExt rElEase..
    n0 m0rE $hiT
    ===================================================
    >> qph@hackermail.com

    or:

    ==================================================
    W32.@YerH$.B,Made in India,
    wE aRe thE greAt iNdIaNs..
    ----------------------------
    spEciAl 10x to c0bra..
    f0r inSpirAtIon + c0dIng hElp..
    ==================================================
    >> qph@hackermail.com

    or:

    ======================================================
    W32.@YerH$.B,Made in India
    wE aRe thE greAt iNdIaNs..
    ----------------------------
    wAnT peAce aNd pr0speRity in InDiA ?..
    f**k tHe c0rruptEd p0litiCian$..no shit$ nEEdeD..
    mErA bhAraT mAhaN ??.. n0t yeT..wE nEEd t0 mAkE iT..
    talenT & hArd w0rK shOulD be rEspEctEd..
    sElf stYleD a**H***$ mUsT bE eLimInatEd....
    n0 m0re $hiT m0n0p0lY..
    ======================================================
    >> qph@hackermail.com

    or:

    =================================================
    W32.@YerH$.B,Made in India.
    wE aRe thE greAt iNdiAnS.
    ----------------------------
    iNdiAn hAckeRs + vXerS teAm up...
    aNd kicK lamEr a**
    no m0re pAk shIT..
    itZ oUr tiMe to shOw tHem, the p0wer of teaM w0rk.
    f**k AIC,GFORCE,SILVERLORDS,WFD..f*****g k1dd1es..
    no sHit bUsineSS iN heRe aNd
    nO lamE stuFF..
    =================================================
    >> qph@hackermail.com

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Robert X Wang

Discovered: December 24, 2002
Updated: February 13, 2007 11:41:53 AM
Also Known As: W32/Yaha.k [McAfee], I-Worm.Lentin.i [KAV], Win32/Yaha.K@mm [GeCAD], W32/Yaha-K [Sophos], Win32.Yaha.K [CA], W32/Yaha.M-mm [MessageLabs]
Type: Worm
Systems Affected: Windows



NOTE: If the worm has not run, and your Symantec antivirus product detects W32.Yaha.K@mm either in an email message, or when the worm attempts to run, delete it.

Removal tool
Symantec has provided a tool to remove W32.Yaha.K@mm infections. Click here to obtain the tool. Try this method first, as it is the easiest way to remove the threat.

Manual removal
If the worm has run and you need to do a manual removal, do the following:

  1. Download the updated virus definitions using the Intelligent Updater, but do not install them.
  2. Restart the computer in Safe mode.
  3. Copy Regedit.exe to Reg.com.
  4. Edit the registry and reverse the changes the worm made.
  5. Start your Symantec antivirus software. If it does not start or properly function, re-install it.
  6. Install the Intelligent Updater virus definitions you downloaded in step 1.
  7. Run a full system scan and delete the files detected as W32.Yaha.K@mm.

1. Downloading virus definitions
2. Restarting the computer in Safe mode
    1. Shut down the computer and turn off the power. Wait 30 seconds. Do not skip this step.
    2. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe mode."

3. Copying Regedit.exe to Reg.com
    Because the worm modified the registry so that you cannot run the .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run that file.
    1. Do one of the following, depending on which operating system you are running:
      • Windows 95/98 users: Click Start, point to Programs, and click the MS-DOS Prompt. (This opens a DOS window at the C:\Windows prompt.) Proceed to step 2 of this section.
      • Windows Me users: Click Start, point to Programs, point to Accessories, and then click the MS-DOS Prompt. (This opens a DOS window at the C:\Windows prompt.) Proceed to step 2 of this section.
      • Windows NT/2000 users:
        1. Click Start, and then click Run.
        2. Type command, and then press Enter:

          (An MS-DOS window opens.)
        3. Type the following:

          cd \winnt

          and then press Enter.
        4. Proceed to step 2 of this section.
      • Windows XP:
        1. Click Start, and then click Run.
        2. Type command, and then press Enter:

          (A DOS window opens.)
        3. Type the following lines, pressing Enter after typing each one:

          cd\
          cd \windows
        4. Proceed to step 2 of this section.
    2. Type the following:

      copy regedit.exe reg.com

      and then press Enter
    3. Type the following, and then press Enter:

      start reg.com

      (The Registry Editor opens in front of the DOS window.) After you finish editing the registry, exit the Registry Editor, and then exit the DOS window.
      Proceed to the next section ("Editing the registry and reversing the changes the worm made,") only after you have completed the previous steps.

4. Editing the registry and reversing the changes the worm made

    CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the specified keys. Read the document, "How to make a backup of the Windows registry," for instructions.
    1. Navigate to and select the following key:

      HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command

      CAUTION: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure that you browse all the way along this path until you reach the \command subkey.

      Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey, shown in the following figure:

      <<=== NOTE: Modify this key.
    2. In the right pane, double-click the (Default) value.
    3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk).

      NOTES:
      • On Windows 95/98/Me and Windows NT systems, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

        ""%1" %*"  
      • On Windows 2000/XP systems, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:

        "%1" %*
      • Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over from the beginning of this document and make sure that you completely remove the current value data.
    4. Navigate in turn to each of the following keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\RunServices

      NOTE: The RunServices key may not exist on all the systems.
    5. In the right pane, delete the value:

      WinServices C:\%System%\WinServices.exe

    6. Exit the registry editor.


5. Starting your Symantec antivirus software
    Start your Symantec antivirus program either from the shortcut icon on your Windows desktop or from the Start menu. If it does not start, or if you have any problems when running the scan in step 8, re-install the software from your installation files or CD.

    CAUTION: If you need to re-install your Symantec antivirus program, restart the computer in Safe mode before you proceed to the next step.

6. Installing the Intelligent Updater virus definitions
    Double-click the file that you downloaded in step 1. Click Yes or OK if you are prompted.

7. Scanning for and deleting the infected files When you are finished, restart the computer and allow it to normally start.


Writeup By: Robert X Wang