W32/Yaha.C@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 27,864
bytes
- When virus is executed, it may enumerate threads
in memory and attempt to terminate the ones matching
this list –
ANTIVIR
ATRACK
F-PROT95
FP-WIN
F-STOPW
IAMAPP
IOMON98
LUALL
LUCOMSERVER
MCAFEE
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NISSERV
NISUM
NMAIN
NORTON
NVC95
PCCIOMON
PCCMAIN
PCCWIN98
POP3TRAP
PVIEW95
RESCUE32
SYMPROXYSVC
WEBTRAP - Virus will then copy itself as a hidden file into
the Recycle Bin folder as a random six letter file
name and modify the registry to run a copy of the
virus any time an EXE file is run, as in this example
–
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = “c:\recycled\xxxxxx” undefined1 undefined** Where “xxxxxx” is the name of the file created in the Recycle Bin and the path “recycled” could also be “recycler”
- Virus will attempt to locate machines on the local
network which have a writeable drive, particularly
a Windows folder with a WIN.INI – if a system
is found, the virus will attempt to copy itself to
that system as “mstaskee.exe” and modify
the WIN.INI to load the file at next Windows startup
- Next, the virus will scavenge the local drive for
email addresses and send a copy of itself to addresses
found in varying email formats, based on a randomly
selected subject line and body text
- The virus may also scavenge information retrieved
from the registry such as contacts from MSN Messenger
–
HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger\
ListCache\.NET Messenger Service - Message is structured such that it uses an exploit
which will cause the attachment to launch automatically
when the message is either opened, or previewed in
Outlook – the email message will have an additional
file attachment, typically a file with .HTM extension,
which is a clean and non-infectious file
- Virus may use one of several Asian-based email
servers in order to distribute itself – the
server names are hard-coded into the virus
- Virus may write a small text file into the Windows
folder with this content –
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
W32.YAHA-III
Author :H^H,h2h@achayans.com
Origin :India,Kerala
I like Klez,Sircam,But i hate the bullshit payloads
Is i am a good coder?? still i have dout huhh!!!
Beware Indian Hackers..Tomarrow is ours!!!
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |