Virus

W32/Yaha.AA@mm

Analysis

  • Virus is 32bit with a compressed size of 60,304 bytes
  • Virus may be introduced to the system as an email attachment from an infected computer
  • If the virus is run, it will write itself to several locations -

    c:\Documents and Settings\All Users\
    Start Menu\Programs\Startup\MEXPLORE.EXE
    c:\Documents and Settings\(every user account)\
    Start Menu\Programs\Startup\MEXPLORE.EXE
    c:\WINNT\system32\CMDE32.EXE
    c:\WINNT\system32\MEXPLORE.EXE

  • The virus will then modify the registry to auto run at Windows startup -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "MS Explorer" = C:\WINNT\System32\MEXPLORE.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "MS Explorer" = C:\WINNT\System32\MEXPLORE.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
    "MS Explorer" = C:\WINNT\System32\MEXPLORE.EXE

  • The virus will modify the registry to run the virus any time certain file types are run -

    HKEY_CLASSES_ROOT\batfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*

    HKEY_CLASSES_ROOT\comfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*
    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*

    HKEY_CLASSES_ROOT\piffile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*

    HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" /S

  • The virus modify and create new HOSTS and LMHOSTS files on the infected system to redirect attempts to reach Microsoft and some Antivirus vendor websites -

    127.0.0.1 www.symantec.com
    127.0.0.1 www.microsoft.com
    127.0.0.1 www.sophos.com
    127.0.0.1 www.avp.ch
    127.0.0.1 www.mcafee.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.pandasoftware.com
    127.0.0.1 www3.ca.com
    127.0.0.1 www.ca.com

  • The virus may attempt to browse the network looking for machines to infect by using imports from MPR.DLL to enumerate systems connected to the network

  • The virus will attempt to scavenge the hard drive and look for email addresses - addresses found are saved into a file named "SCHED32.DLL" into the undefinedWindowsundefined\System32 folder

  • The virus will construct varied emails and send them to contacts found on the infected system - the virus will use its own SMTP code and attempt to use external email servers such as Yahoo