F-Secure
Tools
Yaha.S
Summary
This Lentin (also known as Yaha) worm variant appeared on 16th of September 2003. It is an improved variant comparing to previous versions of the worm. Like its previous variants, this one spreads itself in e-mails, over LAN (local area network), kills tasks of certain programs, logs user's keyboard activities and performs DoS (Denial of Service) attacks on certain sites. The worm can also modify HTML pages on a webserver if it finds it on an infected computer. This variant was most likely a test version of the upcoming Yaha.T worm as some features in this variant were disabled and text strings were not encrypted.
Additional Details
The worm's file is a Windows PE executable 60688 bytes long compressed with FSG file compressor. The uncompressed worm's size is over 350 kilobytes.
Installation to system
When the worm's file is started, the worm copies itself as EXPLORERE.EXE to Windows System folder and creates a startup keys for this file in System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftServiceManager" = "%WinSysDir%\EXPLORERE.EXE"
Installation to system
When the worm's file is started, the worm copies itself as EXPLORERE.EXE to Windows System folder and creates a startup keys for this file in System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicrosoftServiceManager" = "%WinSysDir%\EXPLORERE.EXE"
- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"MicrosoftServiceManager" = "%WinSysDir%\EXPLORERE.EXE" The worm also copies itself as EXELD32.EXE file to Windows System
folder and modifies the default EXE files startup key:- [HKCR\exefile\shell\open\command]
@ = "%WinSysDir%\EXELD32.EXE""%1"%*"
where '%WinSysDir%' is Windows System directory name. This way the worm's file is started every time when a user runs an EXE file. Both copied files have a hidden attribute, so they are not seen in Windows Explorer with default settings.
Additionally the worm copies itself as REGE32.EXE to Windows folder and modifies WIN.INI file to make the copied file start during Windows bootup stage. On NT-based systems the worm also writes the startup string into the Registry.
Finally the worm copies itself as MSREGSCANNER.EXE file to the following directory:
\Documents and Settings\All Users\Start Menu\Programs\Startup
This allows the worm's file to start when any user starts Windows.
Spreading in local network
The worm is capable of infecting computers over a local network. Being active, the worm enumerates shared network resources and if it finds the following directories there:
- WINDOWS
- WIN98
- WIN95
- WINNT
- WIN
- WINME
- WINXP
it copies as REGE32.EXE to these folders and modifies WIN.INI file there to make the copied file start during Windows bootup
stage. Also the worm copies itself as MSREGSCANNER.EXE file to the following directory on remote computers:
\Documents and Settings\All Users\Start Menu\Programs\Startup
This allows the worm's file to start when any user starts Windows on remote system.
Modifying webpages
If the worm finds a webserver (IIS - Internet Information Server) folders on an infected computer, it modifies its HTML pages. The worm looks for *.HTML and *.HTM files in the following folder:
\INETPUB\WWWROOT
and adds a small HTML code to the end of every found webpage, so that the following text is shown when that page is opened:
Ha..Ha..Haaa...
Each webpage may contain one or more string like that.
Keylogger
The worm drops a keylogging DLL from its body and activates it to record all keystrokes of an infected computer's user. The keystrokes are saved into a file that is located in a temporary folder. The worm periodically sends this file to 'keylogs20003@yahoo.com' address together with host name and IP address of an infected computer. The file is sent if it's size is over 30 kilobytes.
Spreading in e-mails
The worm spreads itself in e-mails. The e-mails have randomly selected subjects, body texts and attachment names. The infected e-mails have fake e-mail addresses in the sender field.
The worm uses the following list of names to construct a fake sender's e-mail address:
- Love Inc.
- Jericho
- Romantic Screensavers
- Trend Micro
- Norton Antivirus
- McAfee Inc.
- Jonathan
- Noopman
- The Rock
- britneyspears.org
- zporNstarS
- Lovers Screensavers
- Valentine Screensavers
- American Beauty
- John Vandervochich
- Ross Anderson
- Jasmine Stevens
- Ralph Jones
- Clark Steel
- Kyo Kusanagi
- Iori Yagami
- Terry Bogard
- Omega Rugal
- KOF Online
- Cathy Kindergarten
- Jaucques Antonio Barkinstein
- Romeo & Juliet
- Screensavers of Love
- Raveena Pusanova
- Zdenka Podkapova
- Jenna Jameson
- Club Jenna
- Veronica Anderson
- Benting
- Paul Owen
- admin@hackers.com
- admin@viruswriters.com
- admin@hackersclub.com
- Nicolas Schwarzeneggar
- Keanu Stevenson
- Nomadic Screensavers
- XXX Screensavers
- Hardcore Screensavers
- Playboy Inc.
- Plus 2
- Plus 6
- Real Inc.
- Sexy Screensavers
- Super Soccer
- Rocking Stone
- SQL Library
- Codeproject
- Klein Anderson
The worm uses the following list of e-mail addresses to construct a fake sender's e-mail address:
- loverscreensavers@love.com
- caijob@online.sh.cn
- romanticscreensavers@love.com
- av_patch@trendmicro.com
- av_patch@norton.com
- av_patch@mcafee.com
- cupid@freescreensavers.com
- yjworks@online.sh.cn
- samsun@online.sh.cn
- ericpan@online.com.pk
- therock@wwe.com
- newsletters@britneyspears.org
- admin@zpornstars.com
- screensavers@lovers.com
- valentinescreensavers@t2k.com
- luoairong@21cn.com
- hamada@seikosangyo.com
- lubing@7135.com
- zhouyuye@citiz.net
- admin@kofonline2.com
- cathy@21cn.com
- super@21cn.com
- DNA_seraph@163.com
- love@lovescreensavers.com
- ravs@go2pussy.com
- zdenka@zpornstars.com
- jenna@jennajameson.com
- admin@clubjenna.com
- services@tcsonline2.com
- btq@2632.com
- paul@kqscore2.com
- admin@hackers2.com
- admin@viruswriters.com
- admin@hackersclub2.com
- nics@noma.com
- kkn@k2k.comscreensavers@nomadic.com
- free@xxxscreensavers.com
- free@hardcorescreensavers.com
- sales@playboy.com
- plus@real.com
- sales@real.com
- free@sexyscreensavers.com
- marketing@suppersoccer.com
- stone@esterplaza.com
- me@me2K.com
- free@sql.library.com
- admin@codeproject2.com
- kl@aminoprojects.com
- The worm uses the following subject lines in the e-mails that it
- sends from an infected system:
- Sample Screensavers
- Project
- Free Screensavers 4 U
- Patch for Klez.H
- Patch for Elkern.gen
- Lovers Corner
- Things to note
- Wanna be friends ?
- Freak Out
- WWE Screensavers
- Free Screensavers
- Free XXX
- Free Screenavers of Love
- Who is your Valentine
- Are you beautiful
- Need money ??
- Wanna be friends ??
- Wanna be friends ??
- Free Demo Game
- Demo KOF 2002
- Play KOF 2002 4 Free
- Wanna Rumble ??
- Wanna Brawl ??
- The King of KOF
- Sample KOF 2002
- Wanna be friends ??
- Wanna Hack ??
- Feel the fragrance of Love
- Free Screensavers
- Free rAVs Screensavers
- XXX Screensavers
- Jenna 4 U
- Screensavers from Club Jenna
- Wanna be my sweetheart ??
- Whats up
- World Tour
- One Hacker's Love
- One Virus Writer's Story
- Visit us
- Wanna be a HE-MAN
- We want peace
- Free Screensavers 4 U
- XXX Screensavers 4 U
- Hardcore Screensavers 4 U
- Sample Playboy
- Check it out
- Sexy Screensavers 4 U
- Are you a Soccer Fan ?
- Wanna be like a stone ?
- I Love You..
- Learn SQL 4 Free
- Free Win32 API source
- Are you the BEST
The worm uses the following attachment names for its file when it sends itself in e-mails:
- Love.scr
- Project.exe
- Romantic.scr
- FixKlez.com
- FixElkern.com
- Cupid.scr
- Notes.exe
- MyPic.scr
- FreakOut.exe
- THEROCK.scr
- Britney_Sample.scr
- zXXX_BROWSER.exe
- Valentines_Day.scr
- Beautifull.scr
- Ways_To_Earn_Money.exe
- MyProfile.scr
- My_Sexy_Pic.scr
- KOF.exe
- King_of_Figthers.exe
- KOF2002.exe
- KOF_The_Game.exe
- KOF_Demo.exe
- KOF_Sample.exe
- KOF_Fighting.exe
- MyPic.scr
- Hacker.scr
- Romeo_Juliet.scr
- Free_Love_Screensavers.scr
- Ravs.scr
- zDenka.scr
- Jenna_Jemson.scr
- Sexy_Jenna.scr
- Sweetheart.scr
- up_life.scr
- World_Tour.scr
- Hacker_The_LoveStory.scr
- VXer_The_LoveStory.scr
- Services.scr
- Body_Building.scr
- Peace.scr
- Screensavers.scr
- xxx4Free.scr
- Hardcore4Free.scr
- Playboy.scr
- Plus2.scr
- Plus6.scr
- Real.scr
- Sex.scrSoccer.scr
- Stone.scr
- I_Love_You.scr
- SQL_4_Free.scr
- Codeproject.scr
- The_Best.scr
The worm uses the following texts in the bodies of e-mail messages that it sends out:
Hello,
The attached product is send as a part of our official campaign
for the popularity of our product.
You have been chosen to try a free fully functional sample of our
product.If you are satified then you can send it to your friends.
All you have to do is to install the software and register an account
with us using the links provided in the software. Then send this software
to your friends using your account ID and for each person who registers
with us through your account, we will pay you $1.5.Once your account reaches
the limit of $50, your payment will be send to your registration address by
check or draft. Please note that the registration process is completely free which means
by participating in this program you will only gain without loosing anything. Best Regards,
Admin,
or
Klez.H is the most common world-wide spreading worm.It's very
dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus
technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious
virus. You only need to run this tool once,and then Klez will never
come into your PC
or
Hello,
Looking for some Hardcore mind boggling action ?
Install the attached browser software and browse
across millions of paid hardcore sex sites for free.
Using the software you can safely and easily browse
across most of the hardcore XXX paid sites across the
internet for free. Using it you can also clean all
traces of your web browsing from your computer. Note:The attached browser software is made exclusivley
for demo only. You can use the software for a limited
time of 35 days after which you have to register it
at our official website for its furthur use. Regards,
Admin.
or
Hello,
I just came across your email ID while searching in the Yahoo profiles.
Actually I want a true friend 4 life with whom I can share my everything.
So if you are interested in being my friend 4 life then mail me. If you wanna know about me, attached is my profile along with some of my
pics. You can check and if you like it then do mail me.
I will be waiting for your mail. Best Wishes,
Your Friend..
or
<<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>> This E-Mail is never sent unsolicited. If you receive this
E-Mail then it is because you have subscribed to the official
newsletter at the KOF ONLINE website. King Of Fighters is one of the greatest action game ever made.
Now after the mind boggling sucess of KOF 2001 SNK proudly
presents to you KOF 2002 with 4 new charecters. Even though we need no publicity for our product but this
time we have decided to give away a fully functional trial
version of KOF 2002. So check out the attached trial version
of KOF 2002 and register at our official website to get a free
copy of KOF2002 original version Best Regards,
Admin,KOF ONLINE.. <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>
The worm can also compose messages from from additional string data that is hardcoded in the worm's body.
The worm includes Iframe exploit into the infected messages to make the infected attachment run automatically when a recipient views a message. This exploit works only on older and unpatched versions of certain e-mail clients.
Killing tasks of various software
The worm terminates processes that have the following strings in their names:
- _AVP32
- _AVP32.EXE
- _AVPCC
- _AVPCC
- _AVPCC.EXE
- _AVPM.EXE
- AckWin32
- AckWin32
- ACKWIN32
- AckWin32.exe
- AckWin32.exe
- ACKWIN32.EXE
- ADVXDWIN
- ADVXDWIN.EXE
- agentw.exe
- ALERTSVC
- ALERTSVC.EXE
- ALOGSERV
- alogserv
- ALOGSERV
- alogserv.exe
- ALOGSERV.EXE
- AMON9X
- AMON9X.EXE
- ANTI-TROJAN
- ANTI-TROJAN.EXE
- ANTS.EXE
- APVXDWIN
- apvxdwin
- APVXDWIN.EXE
- apvxdwin.exe
- ATCON.EXE
- ATUPDATER
- ATUPDATER.EXE
- ATWATCH
- ATWATCH.EXE
- AUTODOWN
- AutoDown
- AUTODOWN
- AUTODOWN.exe
- AutoDown.exe
- AUTODOWN.EXE
- AutoTrace
- AutoTrace.exe
- AVCONSOL
- AVCONSOL.EXE
- AVGCC32
- AVGCC32
- AVGCC32.EXE
- AVGCC32.EXE
- AVGCTRL
- Avgctrl
- AVGCTRL.EXE
- Avgctrl.exe
- AvgServ
- AVGSERV
- AvgServ
- AVGSERV
- AVGSERV.EXE
- AVGSERV.EXE
- AVGSERV9
- AVGSERV9.EXE
- AVGW.EXE
- avkpop
- avkpop.exe
- AvkServ
- AvkServ.exe
- avkservice
- avkservice.exe
- avkwctl9
- avkwctl9.exe
- AVP.EXE
- AVP32.EXE
- avpm.exe
- AVPM.EXE
- Avsched32
- Avsched32.exe
- AvSynMgr
- AVSYNMGR
- AVSYNMGR
- AvSynMgr
- AVSYNMGR
- AVSYNMGR.exe
- AVWINNT
- AVWINNT.EXE
- AVXMONITOR9X
- AVXMONITOR9X
- AVXMONITOR9X.EXE
- AVXMONITOR9X.EXE
- AVXMONITORNT
- AVXMONITORNT
- AVXMONITORNT.EXE
- AVXMONITORNT.EXE
- AVXQUAR
- AVXQUAR
- AVXQUAR.EXE
- AVXQUAR.EXE.EXE
- AVXW.EXE
- blackd
- BLACKD
- blackd.exe
- BLACKD.EXE
- BlackICE
- BlackICE.exe
- CDP.EXE
- cfgWiz
- cfgWiz.exe
- Claw95
- Claw95
- CLAW95
- Claw95.exe
- Claw95.exe
- CLAW95.EXE
- Claw95cf
- CLAW95CF
- Claw95cf.exe
- CLAW95CF.EXE
- cleaner
- cleaner.EXE
- cleaner3
- cleaner3.EXE
- CMGRDIAN
- CMGrdian
- CMGRDIAN
- CMGRDIAN.EXE
- CONNECTIONMONITOR
- CONNECTIONMONITOR.EXE
- cpd.exe
- cpd.exe
- CPDClnt
- CPDCLNT.EXE
- CPDClnt.exe
- CTRL.EXE
- defalert
- defalert.exe
- defscangui
- defscangui.exe
- DEFWATCH
- DEFWATCH.EXE
- DOORS.EXE
- DOORS.EXE
- DVP95.EXE
- DVP95_0
- DVP95_0.EXE
- EFPEADM
- EFPEADM
- EFPEADM.exe
- EFPEADM.EXE
- ETRUSTCIPE
- ETRUSTCIPE
- ETRUSTCIPE.exe
- ETRUSTCIPE.EXE
- EVPN.exe
- EVPN.EXE
- EXPERT
- EXPERT.EXE
- F-AGNT95
- F-AGNT95.EXE
- fameh32
- fameh32.exe
- fch32.exe
- fih32.exe
- fnrb32
- fnrb32.exe
- F-PROT
- F-PROT.EXE
- F-PROT95
- F-PROT95.EXE
- FP-WIN
- FP-WIN.EXE
- FRW.EXE
- FRW.EXE
- fsaa.exe
- fsav32
- fsav32.exe
- fsgk32
- fsgk32.exe
- fsm32.exe
- fsma32
- fsma32.exe
- fsmb32
- fsmb32.exe
- f-stopw
- F-STOPW
- f-stopw.exe
- F-STOPW.EXE
- gbmenu
- gbmenu.exe
- GBPOLL
- gbpoll
- GBPOLL.EXE
- gbpoll.exe
- GENERICS
- GENERICS.EXE
- GUARD.EXE
- GUARD.EXE
- GUARDDOG
- GUARDDOG.EXE
- iamapp
- IAMAPP
- IAMAPP
- iamapp.exe
- IAMAPP.EXE
- IAMAPP.EXE
- iamserv
- IAMSERV
- iamserv.exe
- IAMSERV.EXE
- IAMSTATS
- IAMSTATS.EXE
- ICLOAD95
- ICLOAD95.EXE
- ICLOADNT
- ICLOADNT
- ICLOADNT.EXE
- ICLOADNT.EXE
- ICMON.EXE
- ICSUPP95
- ICSUPP95
- ICSUPP95.EXE
- ICSUPP95.EXE
- ICSUPPNT
- ICSUPPNT.EXE
- IFACE.EXE
- IOMON98
- IOMON98
- IOMON98.EXE
- IOMON98.EXE
- ISRV95
- ISRV95.EXE
- JEDI.EXE
- LDNETMON
- LDNETMON.EXE
- LDPROMENU
- LDPROMENU.EXE
- LDSCAN
- LDSCAN.EXE
- LOCKDOWN
- LOCKDOWN.EXE
- lockdown2000
- LOCKDOWN2000
- lockdown2000.exe
- LOCKDOWN2000.EXE
- LUALL.EXE
- LUCOMSERVER
- LUCOMSERVER.EXE
- LUSPT.exe
- MCAGENT
- MCAGENT.EXE
- MCMNHDLR
- MCMNHDLR.EXE
- Mcshield.exe
- MCTOOL
- MCTOOL.EXE
- MCUPDATE
- MCUPDATE.EXE
- MCVSRTE
- MCVSRTE.EXE
- MCVSSHLD
- MCVSSHLD.EXE
- MGAVRTCL
- MGAVRTCL.EXE
- MGAVRTE
- MGAVRTE.EXE
- MGHTML
- MGHTML.EXE
- MINILOG
- MINILOG.EXE
- Monitor
- MONITOR
- Monitor.exe
- MONITOR.EXE
- MOOLIVE
- MOOLIVE.EXE
- MPFAGENT.EXE
- MPFSERVICE
- MPFSERVICE.exe
- MPFTRAY.EXE
- MWATCH
- MWATCH
- MWATCH.EXE
- NAV Auto-Protect
- NAV Auto-Protect
- navapsvc
- navapsvc
- NAVAPSVC.EXE
- navapsvc.exe
- navapw32
- NAVAPW32
- NAVAPW32.EXE
- NAVENGNAVEX15
- NAVENGNAVEX15
- NAVLU32
- NAVLU32.EXE
- Navw32
- NAVW32
- Navw32.exe
- NAVWNT
- NAVWNT.EXE
- NDD32.EXE
- NeoWatchLog
- NeoWatchLog.exe
- NETUTILS
- NETUTILS.EXE
- NISSERV
- NISSERV
- NISSERV.EXE
- NISSERV.EXE
- NISSERV.EXE
- NISUM.EXE
- NISUM.EXE
- NMAIN.EXE
- NORMIST
- NORMIST
- NORMIST.EXE
- NORMIST.EXE
- notstart
- notstart.exe
- NPROTECT
- NPROTECT.EXE
- npscheck
- npscheck.exe
- NPSSVC
- NPSSVC.EXE
- NSCHED32
- NSCHED32.EXE
- ntrtscan
- ntrtscan.EXE
- NTVDM.EXE
- NTXconfig
- NTXconfig.exe
- Nui.EXE
- Nupgrade
- Nupgrade.exe
- NVC95.EXE
- NVC95.EXE
- NVSVC32
- NVSVC32
- NWService
- NWService.exe
- NWTOOL16
- NWTOOL16.EXE
- PADMIN
- PADMIN.EXE
- PAVPROXY
- pavproxy
- PAVPROXY.EXE
- pavproxy.exe
- PCCIOMON
- PCCIOMON
- PCCIOMON.EXE
- PCCIOMON.EXE
- pccntmon
- pccntmon.EXE
- pccwin97
- pccwin97.EXE
- PCCWIN98
- PCCWIN98.EXE
- pcscan
- pcscan.EXE
- PERSFW
- [HKCR\exefile\shell\open\command]