virus logo Virus

W32/Yaha.Q@mm

description-logoAnalysis

  • Virus is 32bit, with a compressed size of 44,544 bytes
  • Virus icon resembles that of a TXT file associated with Notepad
  • Virus may search the following list and attempt to terminate several Antivirus or firewall related applications, based on a table of names
  • Virus may copy itself to the Windows\System folder as “exeLoader.exe”, and modify the registry to run this any time an EXE file is run –

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ““C:\Windows\System\exeLoader.exe””undefined1“undefined*

    * original value for above was
    (Default) = “undefined1” undefined*

  • Virus modifies the registry to run at Windows startup –

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    Windows Task = C:\Windows\System\wintask32.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    Windows Task = C:\Windows\System\wintask32.exe

  • Virus will create additional keys in the system registry –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Snakes\
    Author = R0xx
    Comments = This system belongs to the great Indians…
    Version = 2.01 Beta
    Web = http://www.indiansnakes.cjb.net
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZoneCheck\
    (Default) = pakistan.gov.pk

  • HKEY_LOCAL_MACHINE\Software\Microsoft\WinVer\
    (Default) = xbthsn

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text

  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook

recommended-action-logoRecommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR
ID 6934
Released May 12, 2003
Description
Updated		 Dec 07, 2004
Aliases W32.Yaha.P@mm [NAV], W32/Lentin.Q@mm [F-Prot], W32/Yaha-R [Sophos], W32/Yaha.Q@mm, Win32/Yaha.O@mm [GeCAD], Yaha.R@mm [Norman]
Platform Profile Win32 file format / PE 32 bit