Virus

W32/Yaha.K@mm

Analysis

  • Virus is 32bit, with a UPX compressed size of 34,304 bytes
  • Virus icon resembles that of a blue heart
  • Virus may search the following list and attempt to terminate any name-matching process running in memory -

    _AVP32
    _AVPCC
    _AVPM
    ACKWIN32
    ALERTSVC
    AMON.EXE
    ANTIVIR
    ATRACK
    AVCONSOL
    AVP.EXE
    AVP32
    AVPCC.EXE
    AVPM.EXE
    AVSYNMGR
    CFINET
    CFINET32
    ESAFE.EXE
    F-AGNT95
    F-PROT95
    FP-WIN
    FRW.EXE
    F-STOPW
    IAMAPP
    IAMSERV.EXE
    ICMON
    IOMON98
    LOCKDOWN2000
    LOCKDOWNADVANCED
    LUALL
    LUCOMSERVER
    MCAFEE
    N32SCANW
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    NAVWNT
    NISSERV
    NISUM
    NMAIN
    NOD32
    NORTON
    NPSSVC
    NRESQ32
    NSCHED32
    NSCHEDNT
    NSPLUGIN
    NVC95
    PCCIOMON
    PCCMAIN
    PCCWIN98
    PCFWALLICON
    POP3TRAP
    PVIEW
    PVIEW95
    REGEDIT
    RESCUE32
    RMVTRJANSAFEWEB
    SCAN32
    SWEEP95
    SYMPROXYSVC
    TDS2-98
    TDS2-NT
    VET95
    VETTRAY
    VSECOMR
    VSHWIN32
    VSSTAT
    WEBSCANX
    WEBTRAP
    ZONEALARM

  • Virus may copy itself to the Windows\System folder as "winservices.exe", and modify the registry to run this any time an EXE file is run -
  • HKEY_CLASSES_ROOT\exefile\shell\open\command
    (Default) = ""C:\Windows\System\winservices.exe" undefined1 undefined*"

  • Virus modifies the registry to run at Windows startup -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\
    winservices = C:\Windows\System\winservices.exe

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\RunServices\
    winservices = C:\Windows\System\winservices.exe

  • Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
  • Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed.
  • In Outlook - the email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file.