Virus

W32/Yaha.E@mm

Analysis

  • Virus is 32bit with a UPX compressed size of 27,138 bytes
  • When executed, virus may attempt to disable processes which might match the following names -

    ANTIVIR
    ATRACK
    AVCONSOL
    AVP.EXE
    AVP32
    AVSYNMGR
    CFINET
    CFINET32
    F-PROT95
    FP-WIN
    F-STOPW
    IAMAPP
    ICMON
    IOMON98
    LOCKDOWN2000
    LUALL
    LUCOMSERVER
    MCAFEE
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    NAVWNT
    NISSERV
    NISUM
    NMAIN
    NORTON
    NVC95
    PCCIOMON
    PCCMAIN
    PCCWIN98
    POP3TRAP
    PVIEW95
    RESCUE32
    SAFEWEB
    SYMPROXYSVC
    VSHWIN32
    VSSTAT
    WEBSCANX
    WEBTRAP
    ZONEALARM

  • Virus may copy itself to the Recycle Bin folder as a random six letter file name
    and modify the registry to run a copy of the virus any time an EXE file is run, as in this example -

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ""c:\recycled\xxxxxx" undefined1 undefined*"

    * Where "xxxxxx" is the name of the file created in the Recycle Bin.

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text.

  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened or previewed in Outlook -

    • The email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option