Home / malware Win32.Yahaa.D@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Yahaa.D@mm is also known as W32/Yaha-D.
Explanation :
It arrives in the following format:
Subject:
Randomly selected from the following list:
searching for true Love
you care ur friend
Who is ur Best Friend
make ur friend happy
True Love
Dont wait for long time.
Free Screen saver
Friendship Screen saver
Looking for Friendship
Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worry
Ur My Best Friend
Say 'I Like You'
To ur friend
Easy Way to revel ur love
Wowwwwwwwwwww check it
Send This to everybody u like
Enjoy Romantic life
Let's Dance and forget pains
war Againest Loneliness
How sweet this Screen saver
Let's Laugh
One Way to Love
Learn How To Love
Are you looking for Love
love speaks from the heart
Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship
Check ur friends Circle
Friendship
How are you
U r the person?
Hi
U realy Want this
Romantic
humour
New
Wonderfool
Excite
Cool
Charming
Idiot
Nice
Bullshit
One
Funny
Great
Love
Gangs
Shaking
Powful
Joke
Interesting
Interesting
Screensaver
Friendship
Love
Relations
stuff
Body:
Hi
Dear
Check the attach
See u
OR
Check
the attachment too..
OR
Hi Dear
Check the Attachement ..
See u
[sender's address]
----- Original Message -----
From: "Friendship" < friendshipscr@love.com >
To: [the sender's address]
Sent: Friday, May 11, 2002 8:38 PM
Subject: The world of Friendship :-)
This e-mail is never sent
unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************
Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from www.love.com to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.
To remove yourself from this mailing list, point your browser to:
http://love.com/remove?freescreensaver
* Enter your email address < sender's address > in the field provided
and click
"Unsubscribe".
Attachment:
One of the following names:
screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullshitscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
fucker
with double extension,
first one chosen from the following list:
DOC
MP3
XLS
WAV
TXT
JPG
GIF
DAT
BMP
HTM
MPG
MDB
ZIP
And the second one chosen from:
PIF
BAT
SCR
The worm uses the Iframe exploit so if the e-mail client is not properly patched it will execute itself at preview.
After executing the attachment the worm verifies if it was run from Recycled folder. If not it will display some animated strings acting as a screen saver:
It copies itself in C:Recycled (or C:
ecycler) with a 4 character random generated file name and it will add a key in registry so it will be executed every time user starts an exe file:
HKEY_CLASSES_ROOTexefileshellopencommand
Default
with value C:Recycledxxxx.exe %1 %*, where xxxx is the random generated file name.
Then it will try to disable the following security programs:
ZONEALARM
AVP32
LOCKDOWN2000
AVP.EXE
CFINET32
CFINET
ICMON
SAFEWEB
WEBSCANX
ANTIVIR
MCAFEE
NORTON
NVC95
FP-WIN
IOMON98
PCCWIN98
F-PROT95
F-STOPW
PVIEW95
NAVWNT
NAVRUNR
NAVLU32
NAVAPSVC
NISUM
SYMPROXYSVC
RESCUE32
NISSERV
ATRACK
IAMAPP
LUCOMSERVER
LUALL
NMAIN
NAVW32
NAVAPW32
VSSTAT
VSHWIN32
AVSYNMGR
AVCONSOL
WEBTRAP
POP3TRAP
PCCMAIN
PCCIOMON
After that it will scan for e-mail addresses in Outlook Express, MSN Messenger, Yahoo Messenger, ICQ Messenger's address books, and in the Internet Cache folder and Internet History folder. If it finds any addresses it adds them to xxxxxxxx.dll file in Windows directory where xxxx is the random generated string from above. Also it will drop a file xxxx.txt in Windows directory where xxxx is the same string as above. This file contains a text written by the author.
Finally the worm checks to see if the host computer is connected to the Internet and if it is, it creates two different threads one for sending itself to all the e-mail addresses it collects and the other one to protect itself.
If user tries to configure the "screen saver" the following message box it will appear:Last update 21 November 2011
