W32/Yaha.Y@mm
Analysis
- The virus is 32bit with a compressed file size of
66,048 bytes and is a slight variant of W32/Yaha.X-mm
- If virus is run, it will use imports from PSAPI.DLL
in order to enumerate threads and processes and then
attempt to terminate them - these processes are related
to Antivirus or utility application software
-
The virus may write itself into the undefinedWindowsundefined\System32 folder -
C:\WINNT\System32\EXEWIN32.EXE
C:\WINNT\System32\EXPLORERE.EXE
-
The virus may replace the content of .HTM or .HTML files with the following script -
<BR><BR><BR><CENTER><B><U> Ha..Ha..Haaa...</CENTER></U></B>
-
The virus may harvest the hard drive for email addresses by looking in such places as the registry and various files on the infected system - the email addresses are used by the virus to send variable subject / body emails with an infectious attachment
-
The virus seeks contact names from the MSN Messenger and Yahoo application from the registry
-
The virus may parse UIN files associated with ICQ chat client and retrieve email addresses
-
Similarly with the Yaha.X variant, the virus creates two files "HOSTS." And "LMHOSTS." - these files contain IP resolution changes so that attempts to browse to the following sites redirect the browser to 127.0.0.1 -
www.symantec.com
www.microsoft.com
www.sophos.com
www.kaspersky.com
www.avp.ru
www.avp.com
www.mcafee.com
www.nai.com
-
The virus will modify the registry to ensure the likelihood of the virus being executed numerous times - when files with .BAT, .EXE or .COM are run, the virus will run first and the initial file may or not execute -
HKEY_CLASSES_ROOT\batfile\shell\open\command\
"@" = "C:\WINDOWS\SYSTEM\EXEWIN32.EXE""undefined1"undefined*HKEY_CLASSES_ROOT\comfile\shell\open\command\
"@" = "C:\WINDOWS\SYSTEM\EXEWIN32.EXE""undefined1"undefined*HKEY_CLASSES_ROOT\exefile\shell\open\command\
"@" = "C:\WINDOWS\SYSTEM\EXEWIN32.EXE""undefined1"undefined*Original value for "@" in above keys ="undefined1" undefined*
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |