W32/Yaha.C@mm

Analysis

• Virus is 32bit, with a UPX compressed size of 27,864 bytes
  
• When virus is executed, it may enumerate threads in memory and attempt to terminate the ones matching this list –

  
  ANTIVIR
  ATRACK
  F-PROT95
  FP-WIN
  F-STOPW
  IAMAPP
  IOMON98
  LUALL
  LUCOMSERVER
  MCAFEE
  NAVAPSVC
  NAVAPW32
  NAVLU32
  NAVRUNR
  NAVW32
  NAVWNT
  NISSERV
  NISUM
  NMAIN
  NORTON
  NVC95
  PCCIOMON
  PCCMAIN
  PCCWIN98
  POP3TRAP
  PVIEW95
  RESCUE32
  SYMPROXYSVC
  WEBTRAP

• Virus will then copy itself as a hidden file into the Recycle Bin folder as a random six letter file name and modify the registry to run a copy of the virus any time an EXE file is run, as in this example –

  HKEY_CLASSES_ROOT\exefile\shell\open\command
  (Default) = “c:\recycled\xxxxxx” undefined1 undefined*

  * Where “xxxxxx” is the name of the file created in the Recycle Bin and the path “recycled” could also be “recycler”

• Virus will attempt to locate machines on the local network which have a writeable drive, particularly a Windows folder with a WIN.INI – if a system is found, the virus will attempt to copy itself to that system as “mstaskee.exe” and modify the WIN.INI to load the file at next Windows startup
  
• Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  
• The virus may also scavenge information retrieved from the registry such as contacts from MSN Messenger –

  HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\
  ListCache\.NET Messenger Service

• Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook – the email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file
  
• Virus may use one of several Asian-based email servers in order to distribute itself – the server names are hard-coded into the virus
  
• Virus may write a small text file into the Windows folder with this content –

  <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
  W32.YAHA-III
  Author :H^H,h2h@achayans.com
  Origin :India,Kerala
  I like Klez,Sircam,But i hate the bullshit payloads
  Is i am a good coder?? still i have dout huhh!!!
  Beware Indian Hackers..Tomarrow is ours!!!
  <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>