Yaha Virus. (General Discussion)

Yaha Virus. // General Discussion

1  |  

brock

Aug 26, 2002, 7:11pm
Hello. I am speaking about the recent yaha virus that has been spreading
like wildfire through activeworlds users. After trying Symantec's Norton
Antivirus and McAfee's Antivirus program i have deemed it is impossible to
delete this virus. Therefor i believe we may be dealing with a different
variable or something of the sort, because the scanners can detect the
virus, but can not repair it. If anyone has any suggestions or comments on
what to do please tell me.

-Brock 308723

brock

Aug 26, 2002, 7:15pm
Additional Note:

After using McAfee and Norton's fix tools, the tools seem to say they cannot
find the virus on my machine, and after reinstalling Norton it still can't.
I'll probally end up formatting my hard drive soon.

agent1

Aug 26, 2002, 7:40pm
Description and removal instructions:
http://vil.mcafee.com/dispVirus.asp?virus_k=99528

-Agent1

[View Quote]

brock

Aug 26, 2002, 8:01pm
Tried it, didnt work

brock

Aug 26, 2002, 8:02pm
Plus i dont have any of the virus symptoms

maki

Aug 26, 2002, 8:03pm
Then maybe it's not that virus.. ;-)


maki www.awmaki.com


[View Quote]

brock

Aug 26, 2002, 8:05pm
norton and mcafee detect it as that virus.

bowen

Aug 26, 2002, 8:08pm
No, you're simply recieving e-mails with the virus in it (that's why you get
constant pop ups if you have e-mail scanning on). It simply quarentines the
file, at least in my case. Sometimes it'll get spoofed by the virus trying
to send itself, don't worry no e-mail is infected. If you're on XP restart
in safe mode and do a scan as the admin so that you take no risk.

--Bowen--

[View Quote]

agent1

Aug 26, 2002, 8:09pm
Detect what? If they're just warning you that a file has the virus in it,
you might not be infected. If you don't have any of the symptoms, you're not
infected.

-Agent1

[View Quote]

anduin

Aug 26, 2002, 8:09pm
An identity claiming to be known as "brock" <Brock at iceflare.net> scribed the following <3d6a9998 at server1.Activeworlds.com>:

>Hello. I am speaking about the recent yaha virus that has been spreading
>like wildfire through activeworlds users. After trying Symantec's Norton
>Antivirus and McAfee's Antivirus program i have deemed it is impossible to
>delete this virus. Therefor i believe we may be dealing with a different
>variable or something of the sort, because the scanners can detect the
>virus, but can not repair it. If anyone has any suggestions or comments on
>what to do please tell me.

Alias: W32/Lentin.A at MM, W32/Valscr.A at mm, WORM_YAHA, Win32/Yaha.Worm
Category: Win32
Type: Worm
Wild:
Destructiveness:
Pervasiveness:


CHARACTERISTICS
Win32.Yaha is an e-mail worm which spreads using SMTP.

The worm arrives attached to an e-mail with the following Subject:

Fw: Melt the Heart of your Valentine with this beautiful Screen saver

The message attachment is always called "valentin.scr". It is 20,992 bytes
in size.

When executed, the worm searches the registry keys contained within:

"Software\Microsoft\Internet Account Manager\Accounts"

for an SMTP Server, From Address and Display Name. This information is used by the worm when performing its mass-mailing routine.

If a valid SMTP server is not found, one is selected from a predifined
list contained within the worm.

The worm tries to send an e-mail to all e-mail addresses contained within
the Windows Address Book, defined by the registry key:

"Software\Microsoft\WAB\WAB4\Wab File Name"

This file is copied to %Windows%\www.dll
All e-mail addresses extracted from this address book are then stored in
%Windows%\screendback.dll

It also searches html files contained within the Internet Cache Folders
for e-mail addresses to send to. These e-mail addresses are stored in the
file "%Windows%\screend.dll"

The worm makes two copies itself in the following locations:
"c:\recycled\msmdm.exe"
"c:\recycled\msscra.exe"

The worm also sets the registry key:

"HKLM\Software\Classes\exefile\shell\open\command" with the value "c:\recycled\msmdm %1 %*"

----------------

If you've deleted the 2 exe files and fixed up the registry key, maybe that helps. Also make sure there's nothing that loads upon starting up the PC...

,,,,,
(o o)
/--------------ooO--(_)--Ooo--------------\
| Anduin (317281) |
| o The Gorean Scribe |
| o http://www.anduin-lothario.com |
| o World: GorSJ (18+ Only) |
\--------------ooO-------Ooo--------------/

kah

Aug 27, 2002, 3:22pm
"agent1" <Agent1 at ShatteredPlatters.com> wrote in
news:3d6aa70f$1 at server1.Activeworlds.com:

> Detect what? If they're just warning you that a file has the virus in
> it, you might not be infected. If you don't have any of the symptoms,
> you're not infected.

Yeah, one has to remember that the virus program actually has to
*EXECUTED*. In this case, you have to run the screensaver for it do
anything. You can also have viruses stashed away on your disk without
knowing it, and without being in danger as long as the host files aren't
executed. (I had the PE.CIH virus laying around for years)

KAH

bowen

Aug 27, 2002, 4:15pm
Sometimes concearning E-mails they can sell execute their attachments. So it's not always the "safe" bet. The e-mail that
contained the yaha virus that was sent to me kept trying to self execute itself.

--Bowen--

[View Quote]

brock

Aug 27, 2002, 6:42pm
CIH Isnt that the Chernobyl virus?

bowen

Aug 27, 2002, 6:54pm
[View Quote] I think it is, yes.

--Bowen--

kah

Aug 28, 2002, 11:25am
"brock" <Brock at iceflare.net> wrote in
news:3d6be42f at server1.Activeworlds.com:

> CIH Isnt that the Chernobyl virus?

Yup, one of the more destructive viruses the last few years.

KAH

kah

Aug 28, 2002, 11:27am
"bowen" <thisguyrules at 7k2.4mg.com> wrote in
news:3d6bc1c7$1 at server1.Activeworlds.com:

> Sometimes concearning E-mails they can sell execute their attachments.
> So it's not always the "safe" bet. The e-mail that contained the
> yaha virus that was sent to me kept trying to self execute itself.

A bug in unpatched OE/Outlook versions allowed for this to happen. It works
by setting the attachment's MIME-type as a sound file (wav or midi) which
OE has fun executing. After a few viruses that used this vulnerability
Microshaft released some patches for it.

KAH

1  |  
Awportals.com is a privately held community resource website dedicated to Active Worlds.
Copyright (c) Mark Randall 2006 - 2022. All Rights Reserved.
Awportals.com   ·   ProLibraries Live   ·   Twitter   ·   LinkedIn