Generic Anti-Virus Defence Network Bureau News Articles On-line Real Time Protection
Multi-tiered Security Solution
Defence Network Home Company Profile Support Downloads Solutions News Articles Enquiries
Reduces legal liability
Blocks First Strike of Viruses

Yarner Worm, 19/2/02
 

Infection Level: High
Payload Threat Level: Medium-High
------------------------------------------------------

OVERVIEW
There is a dangerous new worm circulating mainly in Germany called Yarner. It is an executable file that arrives as an e-mail attachment. Yarner pretends to be an installation file of a well-known Trojan cleaning tool. The German e-mail message looks like a newsletter sent by the Webmaster of the Internet security company. The German security company is innocent. Finjan Software warns users that software companies never sends executables as e-mail attachments. The subject line for the Yarner worm is: "Trojaner-Info Newsletter [Current Date] ". The German content of the e-mail states: Hallo ! Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de. Hier die Themen im Ueberblick: 01. YAW 2.0 - Unser Dialerwarner in neuer Version. The attached file is: yawsetup.exe . Seven variants of yarner have been found. Yarner collects e-mail addresses from Outlook address book and .pl, .php, .htm, .shtm, and .cgi files found on local machine. Yarner spreads using its own built in SMTP client. Yarner worm uses default SMTP server of the system, or its own SMTP server. Yarner worm may try to delete all files on drive C. Yarner worm copies itself over notepad.exe, and copies original Notepad application to notedpad.exe.

TECHNICAL OVERVIEW

Yarner sends the following e-mail message to all collected e-mail addresses: From: webmaster@trojaner-info.de (This is a faked e-mail header) Subject: "Trojaner-Info Newsletter [Current Date] " Body: " Hallo ! Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner- Info.de. Hier die Themen im Ueberblick: 01. YAW 2.0 - Unser Dialerwarner in neuer Version…"
Attachment name: yawsetup.exe
Attachment size: 427 kb

Yarner copies itself over notepad.exe in WINDOWS folder, and copies original Notepad application to notedpad.exe . Another copy of the worm is created in WINDOWS folder as [random characters].exe .Yarner creates the files kernei32.daa and kernei32.das in WINDOWS folder. Yarner loads itself automatically - is added to registry key: HKEY_Local_Machine\Software\Microsoft\Windows\CurrentVersion\Runonce
[random characters] = [random characters].exe .Yarner may try to delete all files in drive C.

©Finjan Software

Back

 

Site Extras...
 

to keep Network Defence near by
 
     

Home | Company Profile | Support | Downloads | Solutions | News Articles | Enquiries
© Network Defence 2006  Email support@defence.net.nz   Tel +64 09 414 0789