W32/Yaha.J@mm

Analysis

• Virus is 32bit, with a UPX compressed size of 25,746 bytes
  
• Virus icon resembles that of a lime-green heart
  
• Virus may search the following list and attempt to terminate any name-matching process running in memory -

ALERTSVC
AMON.EXE
ANTIVIR
APACHE.EXE
ATRACK
AVCONSOL
AVP.EXE
AVP32
AVPCC.EXE
AVPM.EXE
AVSYNMGR
CFINET
CFINET32
ESAFE.EXE
F-PROT95
FP-WIN
FRW.EXE
F-STOPW
IAMAPP
IAMSERV.EXE
ICMON
IOMON98
LOCKDOWN2000
LOCKDOWNADVANCED
LUALL
LUCOMSERVER
MCAFEE
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NISSERV
NISUM
NMAIN
NORTON
NSCHED32
NVC95
PCCIOMON
PCCMAIN
PCCWIN98
PCFWALLICON
POP3TRAP
PVIEW95
RESCUE32
SAFEWEB
SCAN32
SYMPROXYSVC
TDS2-98
TDS2-NT
VETTRAY
VSECOMR
VSHWIN32
VSSTAT
WEBSCANX
WEBTRAP
ZONEALARM

• Virus may copy itself to the Windows\System folder as "nav32.exe", and modify the registry to run this any time an EXE file is run -

HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ""C:\Windows\System\nav32.exe" undefined1 undefined*"

• Virus modifies the registry to run at Windows startup -

  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
  CurrentVersion\Run\
  winreg = C:\Windows\System\winreg.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
winreg = C:\Windows\System\winreg.exe

• Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  
• Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook - the email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file