W32.Yaha.U@mm

Printer Friendly Page

Discovered: July 01, 2003
Updated: February 13, 2007 12:03:11 PM
Also Known As: I-Worm.Lentis.gen [KAV]
Type: Worm
Systems Affected: Windows



The W32.Yaha.U@mm worm:

  • Is a variant of W32.Yaha.J@mm.
  • Terminates some antivirus and firewall processes.
  • Uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and in all the files whose extensions contain the letters HT.

The email message has a randomly chosen subject line, message, and attachment name. The attachment will have a .com, .exe, or .scr file extension.

This worm is written in the Microsoft C++ language and is compressed with ASPack.

Antivirus Protection Dates

  • Initial Rapid Release version July 01, 2003
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version July 01, 2003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date July 02, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Kaoru Hayashi

Discovered: July 01, 2003
Updated: February 13, 2007 12:03:11 PM
Also Known As: I-Worm.Lentis.gen [KAV]
Type: Worm
Systems Affected: Windows


When W32.Yaha.U@mm runs, it does the following:

  1. Copies itself as the following files and sets the file attributes to Hidden:
    • %System%\WINTSK32.EXE
    • %System%\EXELDR32.EXE

  2. Adds the value:

    "MicrosoftServiceManager"="%System%\WINTSK32.EXE"

    to the registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices

    so that the worm runs when you start Windows.

  3. Configures itself to run each time a .exe file runs, by changing the (Default) value of the registry key:

    HKEY_CLASSES_ROOT\exefile\shell\open\command

    to:

    "%System%\exeldr32.exe"%1 %*

  4. Creates the following keys and sets some values within them:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Snake
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    ZoneCheck

  5. Copies itself to the \Windows\System folder as one of the following files:
    • Hotmail_hack.exe
    • friendship.scr
    • world_of_friendship.scr
    • shake.scr
    • Sweet.scr
    • Be_Happy.scr
    • Friend_Finder.exe
    • I_Like_You.scr
    • love.scr
    • dance.scr
    • GC_Messenger.exe
    • True_Love.scr
    • Friend_Happy.scr
    • Best_Friend.scr
    • life.scr
    • colour_of_life.scr
    • friendship_funny.scr
    • funny.scr

  6. Attempts to end many antivirus and firewall processes. The worm inventories the active processes, and if the name of the process matches the name in a list that the worm carries, the worm attempts to end the process.

  7. Attempts to delete the following files:
    • %System%\WinServices.exe.
    • %System%\Nav32_loader.exe
    • %System%\Tcpsvs32.exe
    • %System%\Syshelp32.exe
    • %System%\Wingate.exe
    • %System%\Winrpcsrv.exe
    • %System%\Winmgm32.exe
    • %Windows%\SNTMLS.dat


Email Routine Details
The worm uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and in all the files whose extensions contain the letters HT. It attempts to use the default SMTP server of the infected computer to send mail. If the worm cannot find this information, then it will use one of the many SMTP server addresses, which are hard-coded into the worm.

The email message has the following characteristics:

Subject: The subject line is one of the following:
Are you in Love
I am in Love
I Love You
You are so sweet
The Hotmail Hack
U realy Want this
to ur lovers
to ur friends
Find a good friend
Learn How To Love
Are you looking for Love
Wowwwwwwwwwww check it
Check ur friends Circle
The world of Friendship
Shake it baby
How sweet this Screen saver
war Againest Loneliness
Need a friend?
Say 'I Like You' To ur friend
love speaks from the heart
Let's Dance and forget pains
Looking for Friendship
True Love
make ur friend happy
Who is ur Best Friend
hey check it yaar
Check this sh*t
Hello
Are you the BEST
Free Win32 API source
Learn SQL 4 Free
I Love You..
Wanna be like a stone ?
Are you a Soccer Fan ?
Sexy Screensavers 4 U
Check it out
Sample Playboy
Hardcore Screensavers 4 U
XXX Screensavers 4 U
We want peace
Wanna be a HE-MAN
Visit us
One Virus Writer's Story
One Hacker's Love
World Tour
Whats up
Wanna be my sweetheart ??
Screensavers from Club Jenna
Jenna 4 U
Free rAVs Screensavers
Feel the fragrance of Love
Wanna Hack ??
Sample KOF 2002
The King of KOF
Wanna Brawl ??
Wanna Rumble ??
Play KOF 2002 4 Free
Demo KOF 2002
Free Demo Game
Wanna be friends ??
Need money ??
Are you beautiful
Who is your Valentine
Free Screenavers of Love
Free XXX
Free Screensavers
WWE Screensavers
Freak Out
Wanna be friends ?
Things to note
Lovers Corner
Patch for Elkern.gen
Patch for Klez.H
Free Screensavers 4 U
Project
Sample Screensavers

Message: The message can be one of the following:

hey,
did u always dreamnt of hacking ur friends hotmail account..
finally i got a hotmail hack from the internet that really works..
ur my best friend thats why sending to u..
check it..just run it..enter victim's address and u will get the pass.

hi,
check the attached love screensaver
and feel the fragrance of true love..

Hi,
check the attached screensaver..
its really wonderfool..
i got it from freescreensavers.com

Hi,
check ur friends circle using the attached friendship screensaver..
check the attached screensaver
and if u like it send it to all those you consider
to be true friends... if it comes back to you then
you will know that you have a circle of friends..

Hi,
check the attached screensaver
and enjoy the world of friendship..
Hi,
are u in a rocking mood...
check the attached scrennsaver and start shaking..

Hi,
Check the attached screensaver..

Hi,
Are you lonely ??..
check the attached screensaver and
forget the pain of loneliness

Hi,
Looking for online pals..
check the attached friend finder software..

Hi,
sending you a screensaver..
check it and let me know how it is...

Hi,
Check the attached screensaver
and feel the fragrance of true love...

Hey,
I just got this wonderfull screensaver from freescreensaver.com..
Just check it out and let me know how it is..
I just came across it.. check out..
=====================================================================
Are you one of those unfortunate human beings who are desperately
looking for friends.. but still not getting true friends with whom
you can share your everything..

anyway you wont feel down any more cause GC Chat Network has brought
up a global chat and online match making system using its own GC
Messenger. Attached is the fully functional free version of GC<BR>Instant Messenger and Match Making client..
Just install, register an account with us and find thousands of online
pals all over the world..
You can also search for friends by specific country,city,region etc.

Regards Admin,
GC Global Chat Network System..

Hi,
So you think you are in love..
is it true love ? you may think right now that you are in
true love but it is certainly possible that it is nothing
but a mere infatuation to you..

anyway to know yourself better than you have ever known check
the attached screensaver and feel the fragrance of true love..

Hey pal,
you know friendship is like a business...
to get something you need to give something..
though its not that harsh as business but to
get love and care from your friends you need to give
love,care and respect to your friends.. right {BR>
check the attached screensaver and you will learn how to
make your friends happy..

Hi,
Its quite obvious that in our life we have numerous friends
but.. BUT Best Friend can only be ONE.. right {BR>so can you decide who is your best friend {BR>i guess not.. cause mostly you will find that your best friend
wont care about u like somebody else..

anyway i found one way to find who is my best friend..
check it..
just check the attached screensaver.. answer some questions
in it and also ask your best friend to answer the questions..

..then you will know more about him..
Hey pal,
wanna have some fun in life... {BR>feel like life is too boring and monotonous..
check the attached screensaver and bring colours
to your black & white life.. :)
Hi,
I just came across this funny screensaver..
sending it to u.. hope u like it..
check out and die laughing.. :)
<<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

This E-Mail is never sent unsolicited. If you receive this
E-Mail then it is because you have subscribed to the official
newsletter at the KOF ONLINE website.

King Of Fighters is one of the greatest action game ever made.
Now after the mind boggling sucess of KOF 2001 SNK proudly
presents to you KOF 2002 with 4 new charecters.
Even though we need no publicity for our product but this
time we have decided to give away a fully functional trial
version of KOF 2002. So check out the attached trial version
of KOF 2002 and register at our official website to get a free
copy of KOF2002 original version

Best Regards,
Admin,KOF ONLINE..

<<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>
Hello,
I just came across your email ID while searching in the Yahoo profiles.
Actually I want a true friend 4 life with whom I can share my everything.
So if you are interested in being my friend 4 life then mail me.

If you wanna know about me, attached is my profile along with some of my
pics. You can check and if you like it then do mail me.
I will be waiting for your mail.

Best Wishes,
Your Friend..
Hello,
Looking for some Hardcore mind boggling action ?
Install the attached browser software and browse
across millions of paid hardcore sex sites for free.
Using the software you can safely and easily browse
across most of the hardcore XXX paid sites across the
internet for free. Using it you can also clean all
traces of your web browsing from your computer.

Note:The attached browser software is made exclusivley
for demo only. You can use the software for a limited
time of 35 days after which you have to register it
at our official website for its furthur use.

Regards,
Admin.
Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC
Hello,
The attached product is send as a part of our official campaign
for the popularity of our product.
You have been chosen to try a free fully functional sample of our
product.If you are satified then you can send it to your friends.
All you have to do is to install the software and register an account
with us using the links provided in the software. Then send this software
to your friends using your account ID and for each person who registers
with us through your account, we will pay you $1.5.Once your account reaches
the limit of $50, your payment will be send to your registration address by
check or draft.
Please note that the registration process is completely free which means
by participating in this program you will only gain without loosing anything.

Best Regards,
Admin,

Attachment: The attachment is one of the following:
The_Best.scr
Codeproject.scr
SQL_4_Free.scr
I_Love_You.scr
Stone.scr
Sex.scr
Soccer.scr
Real.scr
Plus6.scr
Plus2.scr
Playboy.scr
Hardcore4Free.scr
xxx4Free.scr
Screensavers.scr
Peace.scr
Body_Building.scr
Services.scr
VXer_The_LoveStory.scr
Hacker_The_LoveStory.scr
World_Tour.scr
up_life.scr
Sweetheart.scr
Sexy_Jenna.scr
Jenna_Jemson.scr
zDenka.scr
Ravs.scr
Free_Love_Screensavers.scr
Romeo_Juliet.scr
Hacker.scr
KOF_Fighting.exe
KOF_Sample.exe
KOF_Demo.exe
KOF_The_Game.exe
KOF2002.exe
King_of_Figthers.exe
KOF.exe
My_Sexy_Pic.scr
MyProfile.scr
Ways_To_Earn_Money.exe
Beautifull.scr
Valentines_Day.scr
zXXX_BROWSER.exe
Britney_Sample.scr
THEROCK.scr
FreakOut.exe
MyPic.scr
Notes.exe
Cupid.scr
FixElkern.com
FixKlez.com
Romantic.scr
Project.exe
Love.scr

From: The From field may be a fake email address constructed from the following:
Klein Anderson
Codeproject
SQL Library
me2K
Rocking Stone
Super Soccer
Sexy Screensavers
Real Inc.
Plus 6
Plus 2
Playboy Inc.
Hardcore Screensavers
XXX Screensavers
Nomadic Screensavers
Keanu Stevenson
Nicolas Schwarzeneggar
admin@hackersclub.com
admin@viruswriters.com
admin@hackers.com
Paul Owen
Benting
Veronica Anderson
Club Jenna
Jenna Jameson
Zdenka Podkapova
Raveena Pusanova
Screensavers of Love
Romeo & Juliet
Jaucques Antonio Barkinstein
Cathy Kindergarten
KOF Online
Omega Rugal
Terry Bogard
Iori Yagami
Kyo Kusanagi
Clark Steel
Ralph Jones
Jasmine Stevens
Ross Anderson
John Vandervochich
American Beauty
Valentine Screensavers
Lovers Screensavers
zporNstarS
britneyspears.org
The Rock
Noopman
Susan
Jonathan
Cupid
McAfee Inc.
Norton Antivirus
Trend Micro
Romantic Screensavers
Jericho
Love Inc.

and:

kl@aminoprojects.com
admin@codeproject2.com
free@sql.library.com
me@me2K.com
stone@esterplaza.com
marketing@suppersoccer.com
free@sexyscreensavers.com
sales@real.com
plus@real.com
sales@playboy.com
free@hardcorescreensavers.com
free@xxxscreensavers.com
kkn@k2k.comscreensavers@nomadic.com
nics@noma.com
admin@hackersclub2.com
admin@hackers2.com
paul@kqscore2.com
btq@2632.com
services@tcsonline2.com
admin@clubjenna.com
jenna@jennajameson.com
zdenka@zpornstars.com
ravs@go2pussy.com
love@lovescreensavers.com
DNA_seraph@163.com
super@21cn.com
cathy@21cn.com
admin@kofonline2.com
zhouyuye@citiz.net
lubing@7135.com
hamada@seikosangyo.com
luoairong@21cn.com
valentinescreensavers@t2k.com
screensavers@lovers.com
admin@zpornstars.com
newsletters@britneyspears.org
therock@wwe.com
ericpan@online.com.pk
samsun@online.sh.cn
yjworks@online.sh.cn
cupid@freescreensavers.com
av_patch@mcafee.com
av_patch@norton.com
av_patch@trendmicro.com
romanticscreensavers@love.com
caijob@online.sh.cn
loverscreensavers@love.com

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Kaoru Hayashi

Discovered: July 01, 2003
Updated: February 13, 2007 12:03:11 PM
Also Known As: I-Worm.Lentis.gen [KAV]
Type: Worm
Systems Affected: Windows




NOTE: If the worm has not run and your Symantec antivirus product detects W32.Yaha.U@mm either in an email message or when the worm attempts to run, simply delete it.

If the worm has run, follow these instructions:

  1. Download the updated virus definitions using the Intelligent Updater, but do not install them.
  2. Restart the computer in Safe mode.
  3. Copy the Regedit.exe file to Regedit.com.
  4. Edit the registry and reverse the changes that the worm made.
  5. Restart the computer in Normal mode.
  6. Start your Symantec antivirus software. If it does not properly start or function, re-install it.
  7. Install the Intelligent Updater virus definitions that you downloaded earlier.
  8. Run a full system scan and delete the files detected as W32.Yaha.U@mm.

1. Downloading the virus definitions
2. Restarting the computer in Safe mode
    1. Shut down the computer and turn off the power. Wait 30 seconds. Do not skip this step.
    2. All the Windows 32-bit operating systems, except for Windows NT, can be restarted in Safe mode. For instructions, read the document, "How to start the computer in Safe mode."

3. Copying Regedit.exe to Regedit.com
    Because the worm modified the registry so that you cannot run the .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run that file.
    1. Do one of the following, depending on which operating system you are running:
      • Windows 95/98 users: Click Start, point to Programs, and then click MS-DOS Prompt. This opens a DOS window at the C:\Windows prompt. Proceed to step B of this section.
      • Windows Me users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt. This opens a DOS window at the C:\Windows prompt. Proceed to step B of this section.
      • Windows NT/2000 users:
        1. Click Start, and then click Run.
        2. Type the following:

          command

          and then press Enter. (A DOS window opens.)

        3. Type the following:

          cd \winnt

          and then press Enter.

        4. Proceed to step B of this section.

      • Windows XP:
        1. Click Start, and then click Run.
        2. Type the following: command

          and then press Enter. (A DOS window opens.)

        3. Type the following lines (press Enter after typing each one):

          cd\
          cd \windows

        4. Proceed to step B of this section.

    2. Type the following:

      copy regedit.exe regedit.com

      and then press Enter.

    3. Type the following:

      start regedit.com

      and then press Enter.

      The Registry Editor opens in front of the DOS window. After you finish editing the registry, exit the Registry Editor, and then exit the DOS window.

    4. Proceed to the next section, "Editing the registry and reversing the changes that the worm made," only after you have completed the previous steps.

4. Editing the registry and reversing the changes that the worm made

    CAUTION: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the specified keys. Read the document, "How to make a backup of the Windows registry," for instructions.

    1. Navigate to and select the following key:

      HKEY_CLASSES_ROOT\exefile\shell\open\command

      CAUTION: The HKEY_CLASSES_ROOT\ key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with a .exe extension from running. Make sure that you browse all the way along this path until you reach the command subkey.

      Modify the HKEY_CLASSES_ROOT\exefile\shell\open\command subkey that is shown in the following figure:


      <<=== NOTE: Modify this key.

    2. In the right pane, double-click the (Default) value.
    3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

      NOTES:
      • On Windows 95/98/Me and Windows NT systems, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

        ""%1" %*"  
      • On Windows 2000/XP systems, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:

        "%1" %*
      • Make sure that you completely delete all the value data in the command key before you type the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this happens to you, start over at the beginning of this document and make sure that you completely remove the current value data.

    4. Navigate in turn to each of the following keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      Run
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      RunServices

      NOTE: The RunServices key may not exist on all the systems.

    5. In the right pane, delete the value:

      "MicrosoftServiceManager"="%System%\WINTSK32.EXE"

    6. Delete the keys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Snake
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      ZoneCheck

    7. Exit the registry editor.

5. Restarting the computer in Normal mode
    Shut down the computer and wait 30 seconds. Restart the computer as you normally would, allowing it to go into Normal mode.

6. Starting your Symantec antivirus software
    Start your Symantec antivirus program either from the shortcut icon on your Windows desktop or from the Start menu. If it does not start, or if you have any problems when running the scan in step 8, re-install the software from your installation files or CD.

7. Installing the Intelligent Updater virus definitions
    Double-click the file that you downloaded in Step 1. Click Yes or OK if prompted.

8. Scanning for and deleting the infected files


Writeup By: Kaoru Hayashi