W32/Yaha.K@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 34,304
bytes
- Virus icon resembles that of a blue heart
- Virus may search the following list and attempt
to terminate any name-matching process running in
memory -
_AVP32
_AVPCC
_AVPM
ACKWIN32
ALERTSVC
AMON.EXE
ANTIVIR
ATRACK
AVCONSOL
AVP.EXE
AVP32
AVPCC.EXE
AVPM.EXE
AVSYNMGR
CFINET
CFINET32
ESAFE.EXE
F-AGNT95
F-PROT95
FP-WIN
FRW.EXE
F-STOPW
IAMAPP
IAMSERV.EXE
ICMON
IOMON98
LOCKDOWN2000
LOCKDOWNADVANCED
LUALL
LUCOMSERVER
MCAFEE
N32SCANW
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NISSERV
NISUM
NMAIN
NOD32
NORTON
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NVC95
PCCIOMON
PCCMAIN
PCCWIN98
PCFWALLICON
POP3TRAP
PVIEW
PVIEW95
REGEDIT
RESCUE32
RMVTRJANSAFEWEB
SCAN32
SWEEP95
SYMPROXYSVC
TDS2-98
TDS2-NT
VET95
VETTRAY
VSECOMR
VSHWIN32
VSSTAT
WEBSCANX
WEBTRAP
ZONEALARM - Virus may copy itself to the Windows\System folder as "winservices.exe", and modify the registry to run this any time an EXE file is run -
- Virus modifies the registry to run at Windows startup
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
winservices = C:\Windows\System\winservices.exe - Next, the virus will scavenge the local drive for
email addresses and send a copy of itself to addresses
found in varying email formats, based on a randomly
selected subject line and body text
- Message is structured such that it uses an exploit
which will cause the attachment to launch automatically
when the message is either opened, or previewed.
- In Outlook - the email message will have an additional
file attachment, typically a file with .HTM extension,
which is a clean and non-infectious file.
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ""C:\Windows\System\winservices.exe" undefined1 undefined*"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
winservices = C:\Windows\System\winservices.exe
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |