Virus

W32/Yaha.A@mm

Analysis

  • Virus is 32bit, with a UPX compressed size of 20,992 bytes
  • Virus may copy itself to the Recycle Bin folder, normally named C:\Recycled, as these file names:
  • MSMDM.EXE
    MSSCRA.EXE

  • and modify the registry to run a copy of the virus any time an EXE file is run, as in this example -
  • HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ""c:\recycled\msmdm" undefined1 undefined*"

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook - the email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file
  • Email will be sent in this format -
  • Subject: Fw: Melt the Heart of your Valentine with this beautiful Screen saver
    Body:
    Hi
    Check this screen saver
    Happy Valentines day
    See u
    Attachment: Valentin.scr

  • Virus may use one of several Asian-based email servers in order to distribute itself - the server names are hard-coded into the virus and include countries such as Korea, Singapore, China and Taiwan
  • Virus contains the following text strings -

    Happy Valentines Day enjoy!!!!
    $ Author : No payloads,then what
    Remov:HKCR\exefile\shell\open\command="undefined1" undefined*
    Del c:\recycled\msmdm.exe,msscra.exe
    hahha very simpile yaa $