Virus Alert: Yaha.J (Posted by Jim <mailto:
jim@...> at 6:49AM)
The Yaha.J worm was sent to over 50 different yahoogroups.com mailing
lists on Friday the 13th of December 2002. The initial e-mails looked
like this:
From:
HotGal4U2Fuk@...
To: member-of-one-of-the-yahoogroups-mailing-list
Subject: joke
look attach very gooooode
bye
Attachment: love.gif .scr
This Yaha worm variant installs itself to system 3 times, creates a
startup key for one of its files in the Registry and also modifies EXE
file startup key so its other file could be started every time a user
runs an EXE file. When run for the first time, Yaha.J displays a fake
error message. Yaha.J speads itself in e-mail messages with different
subjects. It also spams numerous e-mail addresses by sending a message
without its attachment there. When Yaha.J is run for the first time, it
displays a fake error message:
Error
Application initilisation error
Then Yaha.J installs itself to system. It copies itself 3 times to
Windows System directory with the following names:
MSNMSG32.EXE
NAV32.EXE
WINREG.EXE
Yaha.J sets hidden attribute to all these files, so they are not seen in
Windows Explorer with default settings. Then Yaha.J creates 2 startup
keys for the WINREG.EXE file in the System Registry. Yaha.J looks for
e-mail addresses in Windows Address Book, cache folders of NET and MSN
messengers and in Yahoo Messenger profile folders. When Yaha.J locates
an e-mail address, it browses the domain name, then connects to a DNS
server at address 12.127.17.71 and attempts to locate an anonymous SMTP
server for that domain. F-SECURE
<
http://www.f-secure.com/v-descs/yaha_j.shtml>
[Non-text portions of this message have been removed]