NASTY WORM CAT 3.......BEWARE

**HUTCH SC95** · 12-31-2002, 12:22 AM

THIS THING DESTROYED ALL MY FILES SO BAD.....I LOST EVERYTHING...22 GIGS OF MAPS , MUSIC , ADDRESS'S ..ALONG WITH ALL KINDS OF PERSONAL STUFF.DON'T LET IT HAPPEN TO YOU.....I JUST SPENT 3 DAYS TRYING TO GET BACK UP AND RUNNING.......SO BE CAREFULL

HUTCH

WARNING: W32.Yaha.K@mm
Threat level: Category 3
Type:
Worm
Virus Definitions: December 30, 2002 or later (via LiveUpdate)

What is W32.Yaha.K@mm and how does it affect me?
Due to an increased number of submissions, Symantec Security Response is upgrading W32.Yaha.K@mm from a Category 2 to a Category 3.

W32.Yaha.K@mm is a worm variant of W32.Yaha.J@mm.

W32.Yaha.K@mm will terminate some anti-virus and firewall processes. Additionally, it can email itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, as well as searching for any contacts listed in files whose extensions contain the letters, HT. The email message has a randomly chosen subject line, message, and attachment name.

This threat is written in the Microsoft C++ language and is compressed with UPX. The uncompressed size is about 75 KB.B.

What action can I take from here?
All users of Norton AntiVirus who do not have up-to-date virus protection should immediately run LiveUpdate for protection from W32.Yaha.K@mm.

Sincerely,

Symantec Security Response Team
Symantec Corporation

12-31-2002, 03:28 AM

Does it run from your email, if you open the email it goes bananas ? Or do you have to click the attachment ?

**HUTCH SC95** · 12-31-2002, 06:23 PM

Originally posted by Pacman <|SC|>
Does it run from your email, if you open the email it goes bananas ? Or do you have to click the attachment ?

I don't know how I got it ..but the way i undrestand it ...and god knows i could be wrong here....but it it get into your address book it sends itself out auto. from your pc....then it destroys your files.....so update and scan asap.

Hurricane*CF* · 01-01-2003, 06:17 PM

Originally posted by HUTCH SC95

Originally posted by Pacman <|SC|>
Does it run from your email, if you open the email it goes bananas ? Or do you have to click the attachment ?

I know several of my squad members have been affected as well as they got new computers for x-mas and didnt have thier anti-virus programs loaded yet. Seems to have started from a fellows address book in canada and sent itself to every squad member . Also can send itself as a free screensaver.just so ya know!!!
I don't know how I got it ..but the way i undrestand it ...and god knows i could be wrong here....but it it get into your address book it sends itself out auto. from your pc....then it destroys your files.....so update and scan asap.

**HUTCH SC95** · 01-01-2003, 08:10 PM

Some more info on this new worm

W32.Yaha.L@mm
Discovered on: December 30, 2002
Last Updated on: December 31, 2002 11

38 AM

W32.Yaha.L@mm is a worm that is a variant of W32.Yaha.K@mm. The differences between the variants do not visibly manifest themselves, so the characteristics of each will be the same.

Type: Worm
Infection Length: 34,304 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

Virus Definitions (Intelligent Updater) *
December 31, 2002

Virus Definitions (LiveUpdate™) **
December 31, 2002

*
Intelligent Updater virus definitions are released daily, but require manual download and installation.
Click here to download manually.

**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

Wild:

Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Moderate
Threat Metrics

Wild:
Low
Damage:
Medium
Distribution:
High

Damage

Payload:
Large scale e-mailing: Emails itself to all the contacts in the Windows Address Book, MSN Messenger, .NET Messenger, Yahoo Pager, and all the files whose extensions contain the letters HT.
Distribution

Subject of email: Varies
Name of attachment: Varies
Size of attachment: 34,304 bytes

W32.Yaha.L@mm performs the same actions as W32.Yaha.K@mm, but it contains some unused code. For more details, refer to the W32.Yaha.K@mm writeup.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.