[Cumbria] Uniras briefing

cumbria@mailman.lug.org.uk cumbria at mailman.lug.org.uk
Mon Dec 30 14:50:01 2002 

All,
I recieve these as part of work this is the sort of thing MS users get, so those
'dual boot' people might want to take note.  If there is interest I'll keep posting these briefings...

UNIRAS (UK Govt CERT) Briefing Notice - 472/02 dated 30.12.02  Time: 11:07
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
----------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk #
  and Information about NISCC is available from www.niscc.gov.uk
-----------------------------------------------------------------------

Title
=====
Malicious Software Report - Yaha.K (aka Yaha.M by some AVS suppliers)

Comment
=======

A new variant of Yaha has been monitored over the Xmas period. 
Antivirus software suppliers (AVS) currently still rate it as a LOW 
threat and most have patches available.

The rate of infection is comparatively low but there are increasing 
numbers of reports to AVS suppliers as personnel return to work 
after the holiday period. 
More reports will almost certainly follow in the New Year.

Useful URLs:

http://www.messagelabs.co.uk/viruseye/
http://vil.nai.com/vil/content/v_99918.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.k@mm.html
http://www.sophos.co.uk/virusinfo/analyses/w32yahak.html
http://www.europe.f-secure.com/v-descs/yaha_m.shtml
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_YAHA.K

-----------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by telephone 
or Not Protectively Marked information may be sent via EMail to:

uniras@niscc.gov.uk
Tel: 020 7821 1330 Ext 4511
Fax: 020 7821 1686


-----------------------------------------------------------------------
This Briefing contains the information released by the original author. 
Some of the information may have changed since it was released. 
If the vulnerability affects you, it may be prudent to retrieve the 
advisory from the canonical site to ensure that you receive the most 
current information concerning that problem.

Reference to any specific commercial product, process, 
or service by trade name, trademark manufacturer, or otherwise, 
does not constitute or imply its endorsement, recommendation, 
or favouring by UNIRAS or NISCC.  
The views and opinions of authors expressed within this notice 
shall not be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, 
they shall not be liable for any loss or damage whatsoever, arising from 
or in connection with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams 
(FIRST) and has contacts with other international Incident Response Teams 
(IRTs) in order to foster cooperation and coordination in incident prevention
to prompt rapid reaction to incidents, and to promote information sharing 
amongst its members and the community at large. 
-----------------------------------------------------------------------
<End of UNIRAS Briefing>


W32/Yaha-K creates three files in your system folder: 
WinServices.exe, nav32_loader.exe and tcpsvc32.exe. 
All these are exact copies of the worm. 

W32/Yaha-K adds the following values to your registry, 
setting them to run the WinServices.exe file whenever you 
boot up or log on to the network: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winservices
="%SYSFOLDER%\WinServices.exe" 

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winservices
="%SYSFOLDER%\WinServices.exe" 

W32/Yaha-K also sets 

HKCR\exefile\shell\open\command\(Default)
=""%SYSFOLDER%\nav32_loader.exe" "%1" %*" 

This means that W32/Yaha-K is executed whenever you launch an EXE (program file). 

Once executed, W32/Yaha-K stays resident in memory as a process which is not 
visible in the task list. 
The worm takes active measures against anti-virus software, including: 

* automatically resetting its "exefile" association if you edit the registry
* actively terminating a range of anti-virus, firewall and internet service programs
* actively terminating REGEDIT 

Like other Yaha variants (e.g. W32/Yaha-A), the worm sends out emails 
containing copies of itself. These emails have a range of subject lines, 
attachment names, sender addresses and body texts, using a mixture of topics 
relating to hacking, love, hate and porn.
--
Trevor 'hell for leather' Pearson