Virus

W32/Yaha.B@mm

Analysis

  • Virus is 32bit, with a UPX compressed size of 23,320 bytes
  • Virus may copy itself to the Recycle Bin folder as a random five letter file name
    and modify the registry to run a copy of the virus any time an EXE file is run, as in this example -

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ""c:\recycled\xxxxx" undefined1 undefined*"

    * Where "xxxxx" is the name of the file created in the Recycle Bin.

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text

  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook.

  • The email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file

    Email will be sent in this format -
    Subject: Enjoy this friendship-joke Screen Saver!!!!
    or
    Subject: Fw: Enjoy this friendship-joke Screen Saver!!!!
    or
    Subject: Have a nice day!!!

    Body:
    Hi Dear
    Check this Attachement and enjoy!!!
    See u
    Attachment: friends.scr

  • Virus may use one of several Asian-based email servers in order to distribute itself - the server names are hard-coded into the virus
  • Virus contains the following strings -

    lol lol lol lol lol lol
    Stupid AVs, They don't know what my worm is doing
    Who the hell named my valentine worm to yaha?
    LOL ,Still I am not a SW Prof.
    All the Stupid SW Profs that thinks they r the masters
    Dedicated to
    Origin : India,Kerala
    Author : H^H ,h2h
    W32.Yaha-II