Virus

W32/Yaha.C@mm

Analysis

  • Virus is 32bit, with a UPX compressed size of 27,864 bytes
  • When virus is executed, it may enumerate threads in memory and attempt to terminate the ones matching this list –


    ANTIVIR
    ATRACK
    F-PROT95
    FP-WIN
    F-STOPW
    IAMAPP
    IOMON98
    LUALL
    LUCOMSERVER
    MCAFEE
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    NAVWNT
    NISSERV
    NISUM
    NMAIN
    NORTON
    NVC95
    PCCIOMON
    PCCMAIN
    PCCWIN98
    POP3TRAP
    PVIEW95
    RESCUE32
    SYMPROXYSVC
    WEBTRAP

  • Virus will then copy itself as a hidden file into the Recycle Bin folder as a random six letter file name and modify the registry to run a copy of the virus any time an EXE file is run, as in this example –

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = “c:\recycled\xxxxxx” undefined1 undefined*

    * Where “xxxxxx” is the name of the file created in the Recycle Bin and the path “recycled” could also be “recycler”

  • Virus will attempt to locate machines on the local network which have a writeable drive, particularly a Windows folder with a WIN.INI – if a system is found, the virus will attempt to copy itself to that system as “mstaskee.exe” and modify the WIN.INI to load the file at next Windows startup
  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  • The virus may also scavenge information retrieved from the registry such as contacts from MSN Messenger –

    HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\
    ListCache\.NET Messenger Service

  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook – the email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file
  • Virus may use one of several Asian-based email servers in order to distribute itself – the server names are hard-coded into the virus
  • Virus may write a small text file into the Windows folder with this content –

    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
    W32.YAHA-III
    Author :H^H,h2h@achayans.com
    Origin :India,Kerala
    I like Klez,Sircam,But i hate the bullshit payloads
    Is i am a good coder?? still i have dout huhh!!!
    Beware Indian Hackers..Tomarrow is ours!!!
    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>