Yaha.K worm

got a panic phone call this evening from a friend who contracted
this lovely ? worm by opening a "screensaver ".
It is somewhat evil. It disabled Norton Antivirus. Norton had
limited information , no specalized tools for removal. The advice
from Dell to the owner was to run housecall which found infected files galore.
Symantec did have a long detailed list of instructions. However the worm had disabled regedit. It would not allow you to update the Norton virus list.
However a search on the Symantec database earlier this evening turned up nothing.
Doing a google search on "Yaha.K worm" the main issues seemed to be a discussion on the slow unremarkable response of
Symantec to this threat by European users.
One wonders if the timing is close to New Years day with holidays at the anti-virus firms on purpose. However this article from the B.B.C. says the virus appeared Dec 21 in Kuwait.
There was a popup of a specific removal tool for a fee.
Mcafee and etrust both have the worm written into their lists.
However Mcafee will not install if you Norton installed. And guess what the uninstall of Norton is blocked. Ditto on downloading etrust from their site. Even if you installed etrust by disc how would you update for the threat ?
When you attempted to follow Symantec's long list of instructions (rather intimidating) regedit would pop up and then disappear.
Symantec has now responded with a removal tool and an updated virus definitions lists in the last few hours.
The expert was of course my 13 year old son who was rather
impressed with the expertise and thoroughness of the culprit
who wrote this worm.
Tomorrow he going to reformat and reinstall Windows XP
et al.


Tuesday, 31 December, 2002, 14:45 GMT
New e-mail virus spreading


Worm can compromises a computer's security settings

Computer users are being warned about a new virus which is spreading via e-mail.
The virus, called Yaha.K, is a mass mailing worm affecting computers running Windows which first appeared on 21 December
and was first noticed in Kuwait.
There was one specific removal tool at a fee available. Mcafee
and etrust had both written and dealt

Since then it has spread quickly, leading the anti-virus firm F-Secure to give it their second highest danger rating.

People are being advised not to open any e-mails which have attachments ending with .scr, .exe and .com.

'I Love You'

Yaha.K is a new version of the Yaha worm which first appeared in February.

It is relatively harmless, compared to more destructive viruses.

It can compromise a computer's security settings by stopping anti-virus programs and shutting down firewalls.

The new variant looks for e-mail addresses in Windows Address Book and sends itself to all the addresses it finds.

In an attempt to trick people, the virus composes several different types of e-mails, using subject lines such I Love You, Patch for Klez.H and Free Demo Game.

Growing threat

MessageLabs, which scans e-mail messages for viruses, said it first detected the worm in Kuwait.

It has now been spotted in 96 countries, predominantly in the UK and the Netherlands.

Overall the company has blocked 21,295 copies of the worm so far.

E-mail viruses have plagued computer users throughout the year. Figures from MessageLabs show that one in every 212 e-mails containing a virus in 2002.

This reflects a big increase on previous years. In 2001, MessageLabs stopped an average one every 380 e-mails, while in 2000 the figure was as low as one every 790.

summary of Symantec action within the last few hours:

Revision History:


December 30, 2002. Upgraded from Category 2 to Category 3 based on an increased rate of submissions.
December 31, 2002. Added link

link for Symantec on W32.Yaha.J@mm.

http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.k@mm.html

 

Both of the following threads discuss this virus and fixes at some length.

System Restore Help

Possible Virus???

Hopefully you can find something in one of them that will help, so that the reformat isn't necessary.

Happy New Year!

 

further to Yaha.k

Latest email worm causes confusion among vendors
January 3 2003





The new strain of the Yaha email worm, which put in an appearance in the last week of December, has caused some confusion among anti-virus software makers due to the naming conventions adopted by the industry.

According to MessageLabs, the appearance of several variants of Yaha had meant that a name like Yaha.C could well refer to two different variants, depending on the company which assigned the nomenclature.

"One vendor may discover a new variant, and assign it the letter C. Meanwhile, a different anti-virus vendor may discover a different new variant, and also assign it the letter C," the company said.

"These two companies would then get in touch with researchers from other companies, with the possible result the half of the anti-virus companies in the world call one variant as .C, and the other half call a different variant .C."

This happened because there was no central coordination mechanism freely available to all anti-virus companies; even if there were, time differences would ensure the problem remained.



MessageLabs Australian representative Paul McRae said in keeping with others, the company had renamed the latest Yaha variant as Yaha.K.

He said confusion in naming was compounded by virus writers using different packing mechanisms to make their malware difficult to detect.

"Owing to the relative volumes currently being intercepted, MessageLabs regards Yaha.K and its various strains as not as big a threat as other viruses we have seen in recent times, such as Klez.H and Bugbear," he said.

"However, it has been observed that Yaha.K attempts to disable security software such as anti-virus programs, so if your machine becomes infected, it is effectively wide open, and you would need a specialised program to remove it. "

www.theage.com.au/articles/2003/01/03/1041196774552.html

 

There is a workaround getting regedit.exe to work. One would be to rename to regedit.com or copy it to aname.com, using dos. The name of it makes no difference, runs regardless.
Just type this at the prompt:
cd\windows
copy regedit.exe aname.com

 

removal tool

Wouldn't it be wonderful if everyone would just keep their virus definitions up to date?

I've been fending a good dozen a day of these off. It's getting tedious.

Daizy

 

Daizy:

For those who were hit by this particular virus early, the virus definition was not contained within the most recent update, so even though a person may have had their definitions up to date the virus was still able to come in undetected. As a matter of fact Symantic did not include this virus in their definitions for several days after the initial outbreak because of the manner in which they make their live updates available. Though in their defense they did have the virus definitions available for manual download shortly after the discovery, most people either do not do their updates this way or do not know that it is available.

In a perfect world those who sit around dreaming up these little gifts would put their talents to more constructive use.

 

symantec response

Just out of interest when I recieved the panic phone call from my friend with the rampant yahaa.k virus the only thing on the web
were mainly European complaints regarding Symantec's slow response.
Symantec did have a tech note but it was a rather advanced
procedure. No stand alone tool.
There was a commercial removal tool ($ 29.95 I believe).
Mcafee did have the virus incorporated in their list. etrust did too.
However the virus (or worm) would not allow the user to update their virus list or even remove an antivirus program to install another antivirus program (Mcafee will not allow you to install
their antivirus program unless you remove Norton)
4 hours later Symantec to their credit had 5 tech notes and a removal tool.
The virus was first discovered in Kuwait Dec 21.
However one wonders if the developer either released the product at this time because either the firms are on a vacation
or skeleton staff or worse on New Years eve or if it whether it was a test of response time.
As they say you have to give the guy credit for being thorough.