PORQUET-L Archives

Archiver > PORQUET > 2003-01 > 1041550298


From: "David M Paterson" <>
Subject: [PORQUET] Fw: [LO] Yaha Virus increasing
Date: Thu, 2 Jan 2003 19:31:38 -0400


I'm forwarding this direct to you all, not to worry you but to make
you aware. Please though, no on-list discussions. Any comments please
email me direct, after you have checked details with your particular
AV supplier and the 2 references below.
Thanks,
David
Admin.

----- Original Message -----
From: "John A Hansen"
Sent: Thursday, January 02, 2003 3:10 PM
Subject: [LO] Yaha Virus increasing


>
> Dear All:
>
> This is another bad one. Be sure to update your AV database
> software ASAP. For most people it merely means hitting the
> live update button.
>
> You can read some more about it at :
> www.sarc.com
> www.mcfee.com
> Norton ( Sarc) has a nice write up on how to remove.
> SARC only shows a level 2 at this point, but several AV
> monitors are showing much wider distribution than normal.
>
> Best Regards
> John A Hansen
>
> January 2, 2003
> Return of the Yaha Worm
> By Ryan Naraine
> E-mail security firms are warning that a variant of the Yaha.M
mass-mailing virus is again circulating, urging administrators to
> block attachments ending with ".scr," ".exe" and ".com" at the
firewall level to keep the worm at bay.
> MessageLabs slapped a "High Risk" rating on the new Yaha.M-mm worm,
which was discovered over the holidays and has been wreaking
> havoc on e-mail around the world. To date, MessageLabs has
intercepted 36,033 copies of the virus in more than 100 countries.
>
> McAfee has also upped its rating on the new Yaha variant, which
propagates via e-mail using its own built-in SMTP engine. The worm
> terminates specific processes if they are running (AV/security
related), and contains code to deliver a denial-of-service attack
> against a remote machine (the target is hard-coded within the worm),
the company warned.
>
> McAfee warned that the virus is capable of terminating the virus
scan programs before any scanning/removal can be done and
> recommended that infected users use the Stinger removal tool to
disinfect systems.
>
> In an advisory, anti-virus firm F-Secure also upgraded the new
worm -- dubbed Yaha.K -- and warned that the worm looks for e-mail
> addresses in Windows Address Book, cache folders of .NET and MSN
messengers and in Yahoo Messenger profile folders. The company said
> the worm then sends itself to all e-mail addresses and composes
several different types of e-mails with different those messages,
> subjects, bodies and attachment names.
>
> F-Secure noted that the worm can change the default Internet
Explorer startup page to point to one of several sites owned by
hacking
> groups. Yaha.K also tries to create a denial-of-service attack on
the infopak.gov.pk Web site.
>
> To disinfect a system, F-Secure said three worm files must be
deleted and a registry fix applied
> ==============================
> To join Ancestry.com and access our 1.2 billion online genealogy
records, go to:
> http://www.ancestry.com/rd/redir.asp?targetid=571&sourceid=1237
>


This thread: