E-mail security firms are warning that a variant of the Yaha.M mass-mailing
virus is again circulating, urging administrators to block attachments
ending with “.scr,” “.exe” and “.com” at the firewall level to keep the worm
at bay.
MessageLabs slapped a “High Risk” rating on the new Yaha.M-mm
worm, which was discovered over the holidays and has been wreaking havoc on
e-mail around the world. To date, MessageLabs has intercepted
36,033 copies of the virus in more than 100 countries.
McAfee has also upped its rating on the new Yaha variant, which
propagates via e-mail using its own built-in SMTP engine. The worm terminates
specific processes if they are running (AV/security related), and contains
code to deliver a denial-of-service attack against a remote machine (the
target is hard-coded within the worm), the company warned.
McAfee warned that the virus is capable of terminating the virus scan
programs before any scanning/removal can be done and recommended that
infected users use the Stinger
removal tool to disinfect systems.
In an advisory,
anti-virus firm F-Secure also upgraded the new worm — dubbed Yaha.K — and
warned that the worm looks for e-mail addresses in Windows Address Book,
cache folders of .NET and MSN messengers and in Yahoo Messenger profile
folders. The company said the worm then sends itself to all e-mail addresses
and composes several different types of e-mails with different those
messages, subjects, bodies and attachment names.
F-Secure noted that the worm can change the default Internet Explorer
startup page to point to one of several sites owned by hacking groups.
Yaha.K also tries to create a denial-of-service attack on the
infopak.gov.pk Web site.
To disinfect a system, F-Secure said three worm files must be
deleted and a registry fix applied.