Virus

W32/Yaha.P@mm

Analysis

  • Virus is 32bit, with a compressed size of 45,568 bytes
  • Virus icon resembles that of a TXT file associated with Notepad
  • Virus may search the following list and attempt to terminate several Antivirus or firewall related applications, based on a table of names
  • Virus may copy itself to the Windows\System folder as “exeLoader.exe”, and modify the registry to run this any time an EXE file is run –

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ““C:\Windows\System\exeLoader.exe””undefined1“undefined*

    * original value for above was
    (Default) = “undefined1” undefined*

  • Virus modifies the registry to run at Windows startup –

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    MicrosoftServiceManager = C:\Windows\System\mstask32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    MicrosoftServiceManager = C:\Windows\System\mstask32.exe

  • Virus will create additional keys in the system registry –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Snakes\
    Author = R0xx
    Comments = This system belongs to the great Indians…
    Version = 2
    Web = http://www.indiansnakes.cjb.net
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\ZoneCheck\
    (Default) = pcb.gov.pk

    HKEY_LOCAL_MACHINE\Software\Microsoft\WinVer\
    (Default) = jsgpoo

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook