RealTime IT News

Return of the Yaha Worm

E-mail security firms are warning that a variant of the Yaha.M mass-mailing virus is again circulating, urging administrators to block attachments ending with ".scr," ".exe" and ".com" at the firewall level to keep the worm at bay.

MessageLabs slapped a "High Risk" rating on the new Yaha.M-mm worm, which was discovered over the holidays and has been wreaking havoc on e-mail around the world. To date, MessageLabs has intercepted 36,033 copies of the virus in more than 100 countries.

McAfee has also upped its rating on the new Yaha variant, which propagates via e-mail using its own built-in SMTP engine. The worm terminates specific processes if they are running (AV/security related), and contains code to deliver a denial-of-service attack against a remote machine (the target is hard-coded within the worm), the company warned.

McAfee warned that the virus is capable of terminating the virus scan programs before any scanning/removal can be done and recommended that infected users use the Stinger removal tool to disinfect systems.

In an advisory, anti-virus firm F-Secure also upgraded the new worm -- dubbed Yaha.K -- and warned that the worm looks for e-mail addresses in Windows Address Book, cache folders of .NET and MSN messengers and in Yahoo Messenger profile folders. The company said the worm then sends itself to all e-mail addresses and composes several different types of e-mails with different those messages, subjects, bodies and attachment names.

F-Secure noted that the worm can change the default Internet Explorer startup page to point to one of several sites owned by hacking groups. Yaha.K also tries to create a denial-of-service attack on the infopak.gov.pk Web site.

To disinfect a system, F-Secure said three worm files must be deleted and a registry fix applied.