Return To Home Page Search Fire Products, Services and others Overview of the Site Design and Build a Career Contact us for customer service and other feedback info Prognet Privacy Statement

Click here to view product details, fire framework, screen shots, Y2K statement, etc.Download fire evaluation copy, updates, upgrades, user manual, free utils and lot more.Customers can enjoy technical support, security tips, FAQ, free virus alert mail, etc. Online ordering, renewal form and upgrade details.Resellers, dealers and distributors can enter here.Click here to view latest virus alerts, virus information center, virus calendar, etc.Latest news and other press releases.About Prognet Technologies Pvt. Ltd, technical team, clients, events and lot more.

 

Yaha.E Worm

                     Yaha.E is a mass mailing worm uses e-mail addresses stored in Windows Address book, MSN messenger list, ICQ list, Yahoo pager list and also collects addresses from .ht* files to distribute infected messages. This worm is also known as I-worm/Yaha.D, W32/Yaha-E, W32.Yaha.E, I-Worm.Lentin.g, W32.Yaha.E@mm, W32.Yaha.g@mm.

                     Yaha.E arrives as an e-mail attachment with random message subject and message body. The SMTP server used to send the emails is chosen either from the registry or from the following list inside the worm body.

The worm uses the following combination of words as subject.

searching for true Love
you care ur friend
Who is ur Best Friend
make ur friend happy
True Love
Dont wait for long time
Free Screen saver
Friendship Screen saver
Looking for Friendship
Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worryy
Ur My Best Friend
Say 'I Like You' To ur friend
Easy Way to revel ur love
Wowwwwwwwwwww check it
Send This to everybody u like
Enjoy Romantic life
Let's Dance and forget pains
war Againest Loneliness
How sweet this Screen saver
Let's Laugh
One Way to Love
Learn How To Love
Are you looking for Love
love speaks from the heart
Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship
Check ur friends Circle
Friendship
how are you
U r the person?
Hi
U realy Want this
Romantic
humour
New
Wonderfool
excite
Cool
charming
Idiot
Nice
Bullshit
One
Funny
Great
LoveGangs
Shaking
powful
Joke
Interesting
Interesting
Screensaver
Friendship
Love
relations
stuff
to ur friends
to ur lovers
for you
to see
to check
to watch
to enjoy
to share

The message body will be one of the following:

"Hi dear
check the attach
see u"

"Hi
Check the Attachment ..
See u"

"Attached one Gift for u.."

"wOW CHECK THIS"

"Check the attachment"

"See the attachement"

"Enjoy the attachement"

or

"More details attached"

The remainder of the message may contain the following text resembling a
forwarded email. The From and Subject fields of the forwarded message are
also variable but the message will always contain the text:

"This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from <web address> to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

* To remove yourself from this mailing list, point your browser to:
<web address>
* Enter your email address (<sender's address>) in the field provided
and click "Unsubscribe".

OR...

* Reply to this message with the word "REMOVE" in the subject line.

This message was sent to address <sender's address>
X-PMG-Recipient: <sender's address>
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>"

The attachment filename name will be one of the following. The attachment name will contain two extenstions.

screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullshitscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
fucker
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love

                     The first extension is chosen from doc, mp3, xls, wav, txt, jpg, gif, dat, bmp, htm, mpg, mdb, zip. The second extension is chosen from pif, bat, scr.

                     If the infected e-mail attachment is executed, it runs as a scren saver and also copies itself to C:\recycled in four letter random file name with hidden attribute. It also displays the following text in different colours.

I like U very much!!!
Ur My Best Friend!!
True Love never ends
U r so cute today #!#!
U r My Best Friend
No Configuration is availabile Now

After that it modifies the registry to load automatically whenever an "EXE" file is executed. The registry key modified will be

HKEY_CLASSES_ROOT\exefile\shell\open\command

                     In some cases it uses IFRAME vulnerability to infect. When the user views the e-mail the embedded code is executed automatically and it drops the virus. Microsoft released security patches to close this security hole. If you haven't installed, you can get a copy at http://www.microsoft.com/windows/ie/download/critical/Q290108/default.asp

                     When active in memory it will disable antivirus programs. Yaha worm has the ability to spread through network. Yaha.E variant drops a text file in Windows folder with following text.

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

iNDian sNakes pResents yAha.E

iNDian hACkers,Vxers c0me & w0Rk wITh uS & fUCk tHE GFORCE-pAK shites

bY

sNAkeeYes,c0Bra

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

                     Yaha.E worm doesn't contain any destructive payload. But if you have deleted the worm file before fixing the registry entries your applications will NOT work.

How can I protect my system?

                     Fire has incorporated Yaha.E worm in its signature file to protect Fire users from this worm attack. Fire anti-virus users can update this signature file by using online update facility. It is available with the registered version of Fire anti-virus Kit. If you are already infected with this worm, run Fire anti-virus and choose delete option to remove the worm components.

How can I find my system is infected?

                     A free download of FireLite [ 1100 KB ] version is also available to detect Yaha Worm and its variants. Fire anti-virus kit removes Yaha.E worm without problems. If you find this worm, use registered version of Fire to remove. To get the registered version of Fire call us at 044-28170440 or mail to service@fireav.com or purchase Fire online using

[Analysis: Mr.Ramesh, Mr. Stanley Rakesh, Prognet Technologies Pvt. Ltd, Jun. 2002]

Go to top of the page
.