1. Symantec/
  2. Security Response/
  3. W32.Yaha.AB@mm


Risk Level 1: Very Low

September 17, 2003
February 13, 2007 12:07:24 PM
Also Known As:
I-Worm.Lentin.q[KAV], W32/Lentin.S@mm[F-Prot]
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

  • Is a worm that is a variant of W32.Yaha.T@mm.
  • Terminates some antivirus and firewall processes.
  • Uses its own SMTP engine to email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, ICQ Pager, as well as in all the files whose extensions contain the letters HT.
  • Installs a keylogger and emails the logs to its author.
  • Contains a destructive payload, which may be triggered if the system timezone is GMT+5.
  • Performs a Denial of Service (DoS) attack to some specified hosts and random hosts on ports 80, 135, 139, and 445.

The email message has a randomly chosen subject line, message, and attachment name. The attachment will have a .com, .exe, .scr, or .zip file extension.

This threat is written in the Microsoft C++ language and is compressed with FSG.

Antivirus Protection Dates

  • Initial Rapid Release version September 17, 2003
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version September 17, 2003
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date September 17, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Robert X Wang

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube