Threat Encyclopedia

W32/Yaha.Y@mm

Analysis

  • The virus is 32bit with a compressed file size of 66,048 bytes and is a slight variant of W32/Yaha.X-mm
  • If virus is run, it will use imports from PSAPI.DLL in order to enumerate threads and processes and then attempt to terminate them - these processes are related to Antivirus or utility application software
  • The virus may write itself into the undefinedWindowsundefined\System32 folder -

    C:\WINNT\System32\EXEWIN32.EXE
    C:\WINNT\System32\EXPLORERE.EXE

  • The virus may replace the content of .HTM or .HTML files with the following script -

    <BR><BR><BR><CENTER><B><U> Ha..Ha..Haaa...</CENTER></U></B>

  • The virus may harvest the hard drive for email addresses by looking in such places as the registry and various files on the infected system - the email addresses are used by the virus to send variable subject / body emails with an infectious attachment

  • The virus seeks contact names from the MSN Messenger and Yahoo application from the registry

  • The virus may parse UIN files associated with ICQ chat client and retrieve email addresses

  • Similarly with the Yaha.X variant, the virus creates two files "HOSTS." And "LMHOSTS." - these files contain IP resolution changes so that attempts to browse to the following sites redirect the browser to 127.0.0.1 -

    www.symantec.com
    www.microsoft.com
    www.sophos.com
    www.kaspersky.com
    www.avp.ru
    www.avp.com
    www.mcafee.com
    www.nai.com

  • The virus will modify the registry to ensure the likelihood of the virus being executed numerous times - when files with .BAT, .EXE or .COM are run, the virus will run first and the initial file may or not execute -

    HKEY_CLASSES_ROOT\batfile\shell\open\command\
    "@" = "C:\WINDOWS\SYSTEM\EXEWIN32.EXE""undefined1"undefined*

    HKEY_CLASSES_ROOT\comfile\shell\open\command\
    "@" = "C:\WINDOWS\SYSTEM\EXEWIN32.EXE""undefined1"undefined*

    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    "@" = "C:\WINDOWS\SYSTEM\EXEWIN32.EXE""undefined1"undefined*

    Original value for "@" in above keys ="undefined1" undefined*