Virus

W32/Yaha.G@mm

Analysis

  • Virus is 32bit, with a UPX compressed size of 29,112 bytes
  • Virus icon resembles that of a lime-green heart
  • Virus may search the following list and attempt to terminate any name-matching process running in memory -

    _ANTIVIR
    ATRACK
    AVCONSOL
    AVP.EXE
    AVP32
    AVSYNMGR
    CFINET
    CFINET32
    F-PROT95
    FP-WIN
    F-STOPW
    IAMAPP
    ICMON
    IOMON98
    IRC32
    LOCKDOWN2000
    LUALL
    LUCOMSERVER
    MCAFEE
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    NAVWNT
    NISSERV
    NISUM
    NMAIN
    NORTON
    NVC95
    PCCIOMON
    PCCMAIN
    PCCWIN98
    POP3TRAP
    PVIEW95
    RESCUE32
    SAFEWEB
    SCAM32
    SYMPROXYSVC
    VSHWIN32
    VSSTAT
    WEBSCANX
    WEBTRAP
    WINK
    ZONEALARM

  • Virus may copy itself to the Recycle Bin folder (normally named C:\Recycled) as a random name and modify the registry to run this any time an EXE file is run, as in this example -

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ""c:\recycled\kqqr" undefined1 undefined*"

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text.

  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is opened or previewed in Outlook -

    • The email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file.

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option