W32/Yaha.B@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 23,320
bytes
- Virus may copy itself to the Recycle Bin folder
as a random five letter file name
and modify the registry to run a copy of the virus any time an EXE file is run, as in this example -HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ""c:\recycled\xxxxx" undefined1 undefined*"* Where "xxxxx" is the name of the file created in the Recycle Bin.
-
Next, the virus will scavenge the local drive for email addresses and send a copy of itself to addresses found in varying email formats, based on a randomly selected subject line and body text
-
Message is structured such that it uses an exploit which will cause the attachment to launch automatically when the message is either opened, or previewed in Outlook.
-
The email message will have an additional file attachment, typically a file with .HTM extension, which is a clean and non-infectious file
Email will be sent in this format -
Subject: Enjoy this friendship-joke Screen Saver!!!!
or
Subject: Fw: Enjoy this friendship-joke Screen Saver!!!!
or
Subject: Have a nice day!!!Body:
Hi Dear
Check this Attachement and enjoy!!!
See u
Attachment: friends.scr - Virus may use one of several Asian-based email servers
in order to distribute itself - the server names are
hard-coded into the virus
- Virus contains the following strings -
lol lol lol lol lol lol
Stupid AVs, They don't know what my worm is doing
Who the hell named my valentine worm to yaha?
LOL ,Still I am not a SW Prof.
All the Stupid SW Profs that thinks they r the masters
Dedicated to
Origin : India,Kerala
Author : H^H ,h2h
W32.Yaha-II
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |