W32/Yaha.X@mm

description-logoAnalysis

  • The virus is 32bit with a compressed file size of 66,048 bytes
  • If virus is run, it will use imports from PSAPI.DLL in order to enumerate threads and processes and then attempt to terminate them - these processes are related to Antivirus or utility application software
  • The virus may replace the content of .HTM or .HTML files with the following script -

    <BR><BR><BR><CENTER><B><U> Ha..Ha..Haaa...</CENTER></U></B>

  • The virus may harvest the hard drive for email addresses by looking in such places as the registry and various files on the infected system - the email addresses are used by the virus to send variable subject / body emails with an infectious attachment

  • The virus seeks contact names from the MSN Messenger and Yahoo application from the registry

  • The virus may parse UIN files associated with ICQ chat client and retrieve email addresses

  • The virus creates two files "HOSTS." And "LMHOSTS." - these files contain IP resolution changes so that attempts to browse to the following sites redirect the browser to 127.0.0.1 -

    www.symantec.com
    www.microsoft.com
    www.sophos.com
    www.kaspersky.com
    www.avp.ru
    www.mcafee.com
    www.nai.com
    www.trendmicro.com

  • The virus will modify the registry to ensure the likelihood of the virus being executed numerous times - when files with .BAT, .EXE or .COM are run, the virus will run first and the initial file may or not execute -

    HKEY_CLASSES_ROOT\batfile\shell\open\command\
    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    HKEY_CLASSES_ROOT\comfile\shell\open\command\
    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command
    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command
    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command
    "@" = "C:\WINDOWS\SYSTEM\MSEXEC.EXE""undefined1"undefined*

    Original value for "@" in above keys ="undefined1" undefined*

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR