[Dshield] The little nightmare is back

Grant Thurman Grant at Netprecision.Net
Wed Sep 11 15:53:03 GMT 2002

As a follow up, it's back, I researched the virus
and found the it is a email virus but it seems to
really take down a mail server, big time:

W32.Yaha.F at mm is the virus but it creates files
like h2077721.htm in your temp directory and
somehow protects itself, I think this is a new
strain that attacks the address book and now
attacks the mail server itself. The new extension
for mail servers seem to be *.htm -vs- .bat, .pif
or .scr on a PC.

W32.Yaha.F at mm is a mass-mailing worm that sends
itself to all email addresses that exist in the
Microsoft Windows Address Book, the MSN Messenger
List, the Yahoo Pager list, the ICQ list, and
files that have extensions that contain the
letters ht. The worm randomly chooses the subject
and body of the email message. The attachment will
have a .bat, .pif or .scr file extension.
Depending upon the name of the Recycled folder,
the worm either copies itself to that folder or to
the %Windows% folder.

The name of the file that the worm creates
consists of four randomly generated characters
between c and y.

It also attempts to terminate antivirus and
firewall processes.

Also Known As: WORM_YAHA.E [Trend], Worm/Lentin.F
[Vexira], W32/Yaha.g at MM [McAfee], Yaha.E
[F-Secure], W32/Yaha-E [Sophos], Win32.Yaha.E [CA]
Type: Worm
Infection Length: 29,948 bytes
Systems Affected: Windows 95, Windows 98, Windows
NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154

I just had a serious virus attack, it got my mail
server. I don't know what it was, maybe someone
else has info on it.

An email came in from "andre", virus scan caught
it but could not repair it, I deleted all the
messages for that user. But the virus somehow
protected the log file so I could not delete the
log file, it created a *.nsf protected file in the
mail server temp directory that was also protected
by the NT operating system.

I turned off the mail server and that allowed me
to delete the file in the temp directory, while
the server was running everytime I tried to repair
the file the repair failed and the file changed
it's name.

So in closing my fix was as follows:

Turned off the mail server.
Deleted all the logs that had copies of the virus.
Deleted the mail account that the virus came into.
Delted all the files in the mail server temp
Emptied the recycle bin.
Ran a virus scan on the entire machine.

All seems OK again, has anybody ever seen such a
virus before?

Grant Thurman
Netprecision, Inc.
714.832.8932 Cell: 714.813.3690

More information about the list mailing list