Description: The Yaha worms family are known for
some time. For some reason, the Yaha.E variant became rather
common, probably by taking advantage of the distribution
lists created by another worm named KLEZ. Yaha is a mass
mailers that incapacitates Windows from running executables.
Propagation: Yaha propagates through an e-mail attachment,
offering an unsolicited screensaver. The attachment may
uses double extension naming - a deception method known
from previous worms - and the name varies, being selected
from a list that is embedded in the worm. When the attachment
is opened, it drops a copy of itself in the 'recycled' or
Windows directory, with a random name, and registers the
spawn in the registry, chaining itself to the default value
of the key HKey_classes_root / exefile / shell / open /
command. This way, the worm is reinitialized every time
the user attempts to run an exe program, denying Windows
to run applications. Once active, the worm uses its own
SMTP service to mass-mail itself to all recipients in address
books of your e-mailer, messaging applications, ICQ, etc.
Yaha sometimes uses the 'iframe exploit' method as in KLEZ.
Like most recent worms, Yaha is network aware and will install
itself through Win.ini on PCs with open unprotected shares!
Giveaways: Yaha infected e-mail is easy to spot.
The Yaha e-mail message may contain text about an unsolicited
"friendship screen saver", or just nonsensical
blab. The icon representing the attachment shows a green
heart, where displayed. The double extension name of the
attachment, when used, adds no credibility either to the
bogus e-mail. Sensible users will simply discard such e-mail
without giving it a second thought. Since Yaha loads as
a service, then it will not show in Task Manager's active
tasks list.
Payload: Yaha has no deliberately destructive payload.
Note that Yaha disables some antivirus applications, when
let to install!
Detection/Prevention: The bogus double extension
name of the attachment is intercepted by IV and its execution
is blocked. Moreover, in the unlikely event that you forced
the installation of the worm, its initialization in the
registry will be reverted by IV Interceptor, and Windows
control over EXE files will resume, without user intervention.
No update of IV is required to counter Yaha!
Cleaning: The "cleaning" from Yaha is done pro-actively
by Interceptor, as decribed above. To prevent further alarms,
delete the bogus e-mail flagged by IV Interceptor, from
your mailbox.
Back
©NetZ Computing Manufacturers of InVircible
