W32/Yaha.AA@mm

description-logoAnalysis

  • Virus is 32bit with a compressed size of 60,304 bytes
  • Virus may be introduced to the system as an email attachment from an infected computer
  • If the virus is run, it will write itself to several locations -

    c:\Documents and Settings\All Users\
    Start Menu\Programs\Startup\MEXPLORE.EXE
    c:\Documents and Settings\(every user account)\
    Start Menu\Programs\Startup\MEXPLORE.EXE
    c:\WINNT\system32\CMDE32.EXE
    c:\WINNT\system32\MEXPLORE.EXE

  • The virus will then modify the registry to auto run at Windows startup -

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
    "MS Explorer" = C:\WINNT\System32\MEXPLORE.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "MS Explorer" = C:\WINNT\System32\MEXPLORE.EXE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
    "MS Explorer" = C:\WINNT\System32\MEXPLORE.EXE

  • The virus will modify the registry to run the virus any time certain file types are run -

    HKEY_CLASSES_ROOT\batfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*

    HKEY_CLASSES_ROOT\comfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*
    HKEY_CLASSES_ROOT\exefile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*

    HKEY_CLASSES_ROOT\piffile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" undefined*

    HKEY_CLASSES_ROOT\scrfile\shell\open\command\
    "(Default)" = "C:\WINNT\System32\CMDE32.EXE""undefined1"undefined*

    Original value: "undefined1" /S

  • The virus modify and create new HOSTS and LMHOSTS files on the infected system to redirect attempts to reach Microsoft and some Antivirus vendor websites -

    127.0.0.1 www.symantec.com
    127.0.0.1 www.microsoft.com
    127.0.0.1 www.sophos.com
    127.0.0.1 www.avp.ch
    127.0.0.1 www.mcafee.com
    127.0.0.1 www.trendmicro.com
    127.0.0.1 www.pandasoftware.com
    127.0.0.1 www3.ca.com
    127.0.0.1 www.ca.com

  • The virus may attempt to browse the network looking for machines to infect by using imports from MPR.DLL to enumerate systems connected to the network

  • The virus will attempt to scavenge the hard drive and look for email addresses - addresses found are saved into a file named "SCHED32.DLL" into the undefinedWindowsundefined\System32 folder

  • The virus will construct varied emails and send them to contacts found on the infected system - the virus will use its own SMTP code and attempt to use external email servers such as Yahoo

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR