[Dshield] The little nightmare is back

Louis Hablas Lou.Hablas at rzim.org
Thu Sep 12 20:30:11 GMT 2002

Though not recently, I've had days during the last few weeks, where I've
been hammered by this thing...fortunately, I filter the aforementioned
extensions and all malicious attachments have been stripped and quarantined,
so no problems yet...if anybody's interested in header or related info. next
go around, I'd be glad to forward to you...


-----Original Message-----
From: Mark Challender [mailto:MarkC at mtbaker.wednet.edu]
Sent: Thursday, September 12, 2002 1:51 PM
To: 'list at dshield.org'
Subject: RE: [Dshield] The little nightmare is back

The attachment for YAHA is one of three -- .bat, .pif, .scr -- with any of
thirteen other common extensions.  The file name might be any of about 35
names such as friends4u.htm.pif

People who don't show file extensions would see friends4u.htm and if they
don't practice good email behavior would open that extension letting the
virus loose.

Mail administrators can block .pif, .bat, .scr and prevent this type of
virus from spreading.

Is there really any good reason to allow the executable extensions through

Mark Challender
Network Administrator

Veni, Vidi, Geeki

-----Original Message-----
From: Grant Thurman [mailto:Grant at Netprecision.Net]
Sent: Wednesday, September 11, 2002 8:53 AM
To: list at dshield.org
Subject: [Dshield] The little nightmare is back

As a follow up, it's back, I researched the virus
and found the it is a email virus but it seems to
really take down a mail server, big time:

W32.Yaha.F at mm is the virus but it creates files
like h2077721.htm in your temp directory and
somehow protects itself, I think this is a new
strain that attacks the address book and now
attacks the mail server itself. The new extension
for mail servers seem to be *.htm -vs- .bat, .pif
or .scr on a PC.

W32.Yaha.F at mm is a mass-mailing worm that sends
itself to all email addresses that exist in the
Microsoft Windows Address Book, the MSN Messenger
List, the Yahoo Pager list, the ICQ list, and
files that have extensions that contain the
letters ht. The worm randomly chooses the subject
and body of the email message. The attachment will
have a .bat, .pif or .scr file extension.
Depending upon the name of the Recycled folder,
the worm either copies itself to that folder or to
the %Windows% folder.

The name of the file that the worm creates
consists of four randomly generated characters
between c and y.

It also attempts to terminate antivirus and
firewall processes.

Also Known As: WORM_YAHA.E [Trend], Worm/Lentin.F
[Vexira], W32/Yaha.g at MM [McAfee], Yaha.E
[F-Secure], W32/Yaha-E [Sophos], Win32.Yaha.E [CA]
Type: Worm
Infection Length: 29,948 bytes
Systems Affected: Windows 95, Windows 98, Windows
NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154

I just had a serious virus attack, it got my mail
server. I don't know what it was, maybe someone
else has info on it.

An email came in from "andre", virus scan caught
it but could not repair it, I deleted all the
messages for that user. But the virus somehow
protected the log file so I could not delete the
log file, it created a *.nsf protected file in the
mail server temp directory that was also protected
by the NT operating system.

I turned off the mail server and that allowed me
to delete the file in the temp directory, while
the server was running everytime I tried to repair
the file the repair failed and the file changed
it's name.

So in closing my fix was as follows:

Turned off the mail server.
Deleted all the logs that had copies of the virus.
Deleted the mail account that the virus came into.
Delted all the files in the mail server temp
Emptied the recycle bin.
Ran a virus scan on the entire machine.

All seems OK again, has anybody ever seen such a
virus before?

Grant Thurman
Netprecision, Inc.
714.832.8932 Cell: 714.813.3690

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list