W32.Yaha@mm

SUMMARY

W32.Yaha@mm is a mass-mailer that sends itself to all the email addresses it finds in the Windows address book and in the files with the extension of .ht*.
This worm copies itself to the files, C:RecycledMsscra.exe and C:RecycledMsmdm.exe.

Protection

• Virus Definitions (LiveUpdate™ Weekly) February 20, 2002
• Virus Definitions (Intelligent Updater) February 19, 2002

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 50 - 999
• Number of Sites: More than 10
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low
• Large Scale E-mailing: Mails itself to all the email addresses it finds on the infected computer.

Distribution

• Distribution Level: High
• Subject of Email: Melt the Heart of your Valentine with this beautiful Screen saver or Fw: Melt the Heart of your Valentine with this beautiful Screen saver
• Name of Attachment: valentin.scr
• Size of Attachment: 20,992 bytes

TECHNICAL DETAILS

When W32.Yaha@mm is executed, it does the following:

• Sends itself to all the email addresses it finds in the Windows address book. It does this by first copying the address book file to the file C:WindowsWWW.dll. Then, it searches that file for an email address, which it then stores in the file, C:WindowsScreenback.dll.

• Sends email to all the addresses it finds within files in the Cache folders, with the file extension .ht*. The worm stores these email addresses in the file, C:WindowsScreen.dll.

• Sets itself to run when any other executable files are run, by modifying the (Default) value of the registry key:

HKEY_LOCAL_MACHINESoftwareClassesexefileshellopencommand

to read:

c:ecycledmsmdm" %1 %*"

instead of:

" %1 %*".

• Will attempt to send mail using information from the registry key:

HKEY_CURRENT_USERSoftwareMicrosoft
Internet Account ManagerAccounts0000001

or, if it cannot connect to the email server listed in that registry key, it will use one of the following:

• webproxy.teaorcoffee.com.tw
• supab.stn.sh.cn
• sitic.com.cn
• server.benmoss.com
• pokkant1.pokka.com.sg
• pdc.hrserve.com.tw
• outmail.dongfang-china.com
• ns.sillim.hs.kr
• ns.binter.cl
• microimportservice.com
• mailsvr.hanace.co.kr
• mailserver.kaimi.com.cn
• mail.yinda.com.cn
• mail.win-tex.com
• mail.pusanpaik.or.kr
• mail.cmr.com.cn
• mail.clinicasanborja.com.pe
• luckybusan.com
• linux2.ele-china.com
• crato.urca.br
• ahbb.net
• ntserver1.pascon.com
• toad.com
• mailinx.nettlinx.com
• www.sztge.com.cn

The email message will have an attachment named Valentin.scr.

The From field is a random-selected email address and may not be the legitimate sender.

• Also copies itself to the files, C:RecycledMsscra.exe and C:RecycledMsmdm.exe.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

Delete the files detected as W32.Yaha@mm and reverse the changes that it made to the registry.

NOTE: If the worm has run, in most cases you will need to edit the registry before you can run LiveUpdate, or download the updated definitions and run the scan.

Removing this worm

1. Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
   • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
   • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).
     
     The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.
     
     
2. Start Norton AntiVirus and make sure that it is configured to scan all the files. For instructions, read the document, "How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. Delete all the files detected as W32.Yaha@mm. Make sure that the following are deleted:
   • C:RecycledMsscra.exe
   • C:RecycledMsmdm.exe
   • C:WindowsWWW.dll
   • C:WindowsScreenback.dll
   • C:WindowsScreen.dll

Editing the registry
If the worm is executed, it modifies the registry so that an infected file is executed every time you run a .exe file. Follow these instructions to fix this.

Copying Regedit.exe to Regedit.com
Because the worm modified the registry so that you cannot run the .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run it.

1. Do one of the following, depending on the operating system you are running:
   • Windows 95/98 users: Click Start, point to Programs, and then click MS-DOS Prompt.
   • Windows ME users: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
   • Windows NT/2000/XP users:
     1. Click Start, and click Run.
     2. Type the following, and then press Enter:
        
        command
        
        A DOS window opens.
        
        
     3. Type the following, and then press Enter:
        
        cd winnt
        
        
     4. Proceed to the next step.
        
        
2. Type the following, and then press Enter:
   
   copy regedit.exe regedit.com
   
   
3. Type the following, and then press Enter:
   
   start regedit.com
   
   

A. Proceed to the section, "Editing the registry and removing keys and changes," only after you have completed the previous steps.

NOTE: This will open the Registry Editor in front of the DOS window. After you finish editing the registry and have closed the Registry Editor, close the DOS window.

Editing the registry and reversing the changes

CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Make sure that you modify only the keys specified in this document. For more information, read, "How to back up the Windows registry," before proceeding with the following steps. If you are concerned that you cannot perform these steps, then do not proceed. Consult a computer technician for more information.

1. Navigate to and select the following key:
   
   HKEY_LOCAL_MACHINESoftwareClassesexefileshellopencommand
   
   CAUTION: The HKEY_LOCAL_MACHINESoftwareClasses key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with a .exe extension from running. Make sure you browse all the way along this path until you reach the command subkey.
   Do not modify the HKEY_LOCAL_MACHINESoftwareClasses.exe key.
   Do modify the HKEY_LOCAL_MACHINESoftwareClassesexefileshellopencommand subkey shown in the following figure:
   
   
   <<=== NOTE: This is the key that you need to modify.
   
   
2. Double-click the (Default) value in the right pane.
3. Delete the current value data, and then type: "%1" %* (That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)
   
   NOTE: On Win95/98/Me and Windows NT systems, the Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this:
   
   ""%1" %*"
   
   On Windows 2000/XP systems, the addtional quotation marks will not appear. On these systems, the (Default) value should look exactly like this:
   
   "%1" %*
   
   
4. Make sure you completely delete all the value data in the command key, prior to typing the correct data. If a space is accidentally left at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C: <path and file name>."
5. Exit the registry editor.