Virus

W32/Yaha.J@mm

Analysis

  • Virus is 32bit, with a UPX compressed size of 25,746 bytes
  • Virus icon resembles that of a lime-green heart
  • Virus may search the following list and attempt to terminate any name-matching process running in memory -
  • ALERTSVC
    AMON.EXE
    ANTIVIR
    APACHE.EXE
    ATRACK
    AVCONSOL
    AVP.EXE
    AVP32
    AVPCC.EXE
    AVPM.EXE
    AVSYNMGR
    CFINET
    CFINET32
    ESAFE.EXE
    F-PROT95
    FP-WIN
    FRW.EXE
    F-STOPW
    IAMAPP
    IAMSERV.EXE
    ICMON
    IOMON98
    LOCKDOWN2000
    LOCKDOWNADVANCED
    LUALL
    LUCOMSERVER
    MCAFEE
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    NAVWNT
    NISSERV
    NISUM
    NMAIN
    NORTON
    NSCHED32
    NVC95
    PCCIOMON
    PCCMAIN
    PCCWIN98
    PCFWALLICON
    POP3TRAP
    PVIEW95
    RESCUE32
    SAFEWEB
    SCAN32
    SYMPROXYSVC
    TDS2-98
    TDS2-NT
    VETTRAY
    VSECOMR
    VSHWIN32
    VSSTAT
    WEBSCANX
    WEBTRAP
    ZONEALARM

  • Virus may copy itself to the Windows\System folder as "nav32.exe", and modify the registry to run this any time an EXE file is run -

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ""C:\Windows\System\nav32.exe" undefined1 undefined*"

  • Virus modifies the registry to run at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    winreg = C:\Windows\System\winreg.exe

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    winreg = C:\Windows\System\winreg.exe

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook - the email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file