|
|
Virus Central - Detailed
|
|
Virus Information
|
|
|
Name:
|
W32.Yarner.A@mm
|
|
Aliases:
|
|
|
Type:
|
Worm
|
|
Discovery Date:
|
February 19, 2002
|
|
Detection:
|
Large scale e-mailing: Mails everyone in
the Outlook address book
Deletes files: Deletes all files on the drive on which
Windows is installed
Modifies files: Overwrites Notepad.exe
|
|
Virus Description:
|
Due to a low submission rate, Symantec Security
Response is downgrading this threat to a Category 2.
W32.Yarner.A@mm is a mass-mailing worm. The worm sends itself
to email addresses that it finds in the Microsoft Outlook
address book and in local files.
The worm uses the system-configured or hardcoded SMTP server to
send messages with the subject Trojaner-Info
Newsletter, followed by the current date. The message body is
in German and the attachment name is Yawsetup.exe.
In addition, the worm may attempt to delete all files on the computer.
|
|
E-mail Subject:
|
Trojaner-Info Newsletter [current date]
|
|
E-mail Body:
|
Hallo !
Willkomen zur neuesten Newsletter-Ausgabe
der Webseite Trojaner-Info.de.
Hier die Themen im Ueberblick:
01. YAW 2.0 - Unser Dialerwarner in neuer
Version
************************************
01. YAW 2.0 - Unser Dialerwarner in neuer
Version
Viele haben ihn und viele moegen ihn - unseren
Dialerwarner YAW. YAW ist
nun in einer brandneuen und stark erweiterten
Version verfuegbar. Alle unsere
Newsletterleser bekommen ihn kostenlos zusammen
mit diesem Newsletter.
Also einfach die angehaengte Datei starten
und YAW 2.0 installieren. Bei Fragen
steht Ihnen der Programmierer des bislang
einzigartigen Programmes Andreas Haak
unter andreas@ants-online.de zur Verf
gung. Viel Spaß
mit YAW!
<http:/ /www.trojaner-info.de/dialer/yaw.shtml>
************************************
Das war die heutige Ausgabe mit den aktuellsten
Trojaner-Info News. Wir
bedanken uns fuer eure Aufmerksamkeit und
wuenschen allen Lesern noch eine
angenehme Woche.
Mit freundlichem Gruss
Thomas Tietz & Andreas Ebert
<http:/ /www.trojaner-info.de>
************************************
Anzahl der Subscriber: 5.966
Durchschnittliche Besuchzahl/Tag: 4.488
Diese Mail ist kein Spam ! Diesen Newsletter
hast du erhalten, da du in unserer
Verteilerliste aufgenommen wurdest. Solltest
du unseren Newsletter nicht selber
abonniert haben, sondern eine andere Person
ohne dein Wissen, kannst du
diesen auf unseren Seiten wieder abbestellen.
Oder sende uns einfach eine
entsprechende E-Mail.
|
|
Attachment:
|
yawsetup.exe
|
|
Virus Effects:
|
|
When it is executed, W32.Yarner.A@mm does the following:
It copies itself to \%Windows%\Notepad.exe, which overwrites the
Notepad program.
NOTES:
- %Windows% is a variable. The worm locates the \Windows folder
(by default this is C:\Windows or C:\Winnt) and copies itself
to that location.
- Before the worm overwrites Notepad.exe, it saves a copy of
the file as %Windows\Notedpad.exe. (Notice the slight change
in the file names: The new, infected file is now Notepad.exe,
while the original, uninfected file has be renamed to Notedpad.exe--the
letter d was added after "Note".)
As a result, when Notepad.exe is opened, the worm executes and attempts
to launch the original (renamed) Notepad program.
In addition, the worm copies itself to %Windows%\<random characters>.exe
It also adds the associated value
<random characters> <random
characters>.exe
to the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
This causes the worm to run the nest time that you start Windows.
The worm uses MAPI to send itself as to email addresses that it
finds in the Microsoft Outlook address book and by searching files
that have the extensions .php, .htm, .shtm, .cgi, or .pl. The worm
pretends to be a new version of the YAW application that was released
by Trojaner Info in Germany.
************************************
The worm also creates the following files:
- %Windows%\Kernei32.daa
- %Windows%\kernei32.das
These files are not viral; instead, they store server and address
information that is used by the virus.
Finally, depending on a random counter, the worm may delete all
files on the drive on which Windows is installed.
|
|
Removal Instructions:
|
|
If this worm has been executed, it is possible that all files
have been deleted from the hard drive. If this is the case, you
must a fully reinstall of the system.
If the worm has not deleted all files, delete files that are detected
as W32.Yarner.A@mm, rename Notedpad.exe to Notepad.exe, and remove
the value that the worm added to the registry.
To remove the worm:
1. Obtain the most recent virus definitions. There are two ways
to do this:
- Run LiveUpdate. LiveUpdate is the easiest way to obtain
virus definitions. These virus definitions have undergone
full quality assurance testing by Symantec Security Response
and are posted to the LiveUpdate servers one time each week
(usually Wednesdays) unless there is a major virus outbreak.
To determine if definitions for this threat are available
by LiveUpdate, look at the Virus Definitions (LiveUpdate)
line at the top of this write-up.
- Download the definitions using the Intelligent Updater.
Intelligent Updater virus definitions have undergone full
quality assurance testing by Symantec Security Response. They
are posted on U.S. business days (Monday through Friday).
They must be downloaded from the Symantec Security Response
Web site and installed manually. To determine if definitions
for this threat are available by the Intelligent Updater,
look at the Virus Definitions (Intelligent Updater)
line at the top of this write-up.
Intelligent Updater virus definitions are available here.
For detailed instructions on how to download and install the
Intelligent Updater virus definitions from the Symantec Security
Response Web site, click here.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured
to scan all files. For instructions on how to do this, read the
document How
to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Yarner.A@mm.
To rename Notedpad:
1. Using Windows Explorer, locate the file \%Windows%\Notedpad.exe.
NOTE: %Windows% is a variable. The file will be in the
folder in which Windows is installed. By default, this is C::\Windows
or C:\Winnt.
2. Right-click the Notedpad.exe file, and click Rename.
3. Rename the file back to Notepad.exe.
To edit the registry:
CAUTION: We strongly recommend that you back up the registry
before you make any changes to it. Incorrect changes to the registry
can result in permanent data loss or corrupted files. Modify only
the keys that are specified. Read the document How
to back up the Windows registry for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor
opens.
3. Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
4. In the right pane, look for a value that consists of a string
of random characters.
5. Select this value and delete it.
6. Click Registry, and click Exit.
Revision History:
Feb 19, 2002: Added information about current date in Subject
and file deletion payload.
Feb 20, 2002: Downgraded threat level to Category 2.
Write-up by: Neal Hindocha
|
TOP
|
