VirusW32/Yaha.L@mm
Analysis
- Virus is 32bit, with a UPX compressed size of 34,304
bytes
- Virus icon resembles that of a blue heart
- Virus may search the following list and attempt
to terminate any name-matching process running in
memory -
_AVP32
_AVPCC
_AVPM
ACKWIN32
ALERTSVC
AMON.EXE
ANTIVIR
ATRACK
AVCONSOL
AVP.EXE
AVP32
AVPCC.EXE
AVPM.EXE
AVSYNMGR
CFINET
CFINET32
ESAFE.EXE
F-AGNT95
F-PROT95
FP-WIN
FRW.EXE
F-STOPW
IAMAPP
IAMSERV.EXE
ICMON
IOMON98
LOCKDOWN2000
LOCKDOWNADVANCED
LUALL
LUCOMSERVER
MCAFEE
N32SCANW
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NISSERV
NISUM
NMAIN
NOD32
NORTON
NPSSVC
NRESQ32
NSCHED32
NSCHED32
NSCHEDNT
NSPLUGIN
NVC95
PCCIOMON
PCCMAIN
PCCWIN98
PCCWIN98
PCFWALLICON
POP3TRAP
PVIEW
PVIEW95
REGEDIT
RESCUE32
RMVTRJANSAFEWEB
SCAN32
SWEEP95
SYMPROXYSVC
TDS2-98
TDS2-NT
VET95
VETTRAY
VSECOMR
VSHWIN32
VSSTAT
WEBSCANX
WEBTRAP
ZONEALARM - Virus may copy itself to the Windows\System folder as "WinServices.exe", and modify the registry to run this any time an EXE file is run -
- Virus modifies the registry to run at Windows startup
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run\
winservices = C:\Windows\System\winservices.exe - Next, the virus will scavenge the local drive for
email addresses and send a copy of itself to addresses
found in varying email formats, based on a randomly
selected subject line and body text
- Message is structured such that it uses an exploit
which will cause the attachment to launch automatically
when the message is either opened, or previewed in
Outlook
- One property of the MIME encoded email is the following
-
boundary=#r0xx#
- The attachment will be one of the following file
names -
Beautifull.scr
Body_Building.scr
Britney_Sample.scr
Codeproject.scr
Cupid.scr
FixElkern.com
FixKlez.com
FreakOut.exe
Free_Love_Screensavers.scr
Hacker.scr
Hacker_The_LoveStory.scr
Hardcore4Free.scr
I_Love_You.scr
Jenna_Jemson.scr
King_of_Figthers.exe
KOF.exe
KOF_Demo.exe
KOF_Fighting.exe
KOF_Sample.exe
KOF_The_Game.exe
KOF2002.exe
Love.scr
My_Sexy_Pic.scr
MyPic.scr
MyProfile.scr
Notes.exe
Peace.scr
Playboy.scr
Plus2.scr
Plus6.scr
Project.exe
Ravs.scr
Real.scr
Romantic.scr
Romeo_Juliet.scr
Screensavers.scr
Services.scr
Sex.scrSoccer.scr
Sexy_Jenna.scr
SQL_4_Free.scr
Stone.scr
Sweetheart.scr
The_Best.scr
THEROCK.scr
up_life.scr
Valentines_Day.scr
VXer_The_LoveStory.scr
Ways_To_Earn_Money.exe
World_Tour.scr
xxx4Free.scr
zDenka.scr
zXXX_BROWSER.exe - This virus may set the Internet Explorer start page to one of the following hyperlinks-
- Virus contains the following comments within the code -
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = ""C:\Windows\System\WinServices.exe" undefined1 undefined*"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices\
winservices = C:\Windows\System\winservices.exe
http://www.unixhideout.com
http://www.hirosh.tk
http://www.neworder.box.sk
http://www.blacksun.box.sk
http://www.coderz.net
http://www.hackers.com/html/neohaven.html
http://www.ankitfadia.com
http://www.hrvg.tk
http://www.hackersclub.up.to
http://geocities.com/snak33y3s
'======================================================'
'W32.@YerH$.B (all r1ght$ re$erv3d.. ;) )'
'w3 aRe tHe gRe@t 1nD1aN$..'
'------------------------------------------------------'
'm@iN mIssIoN iS t0 sPreAd tHe nAmE @YerH$'
's00 mUch t0 c0me..'
'iNclUdEd DDoS c0mp0neNtS c@usE oF sHiT p@kI l@meRs'
'eXp3ct th3 uNeXp3ctEd'
'dEdic@t3d t0 : mY b3$t fRi3nD'
'======================================================'
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |