Worm:W32/Yaha.S

Classification

Category:

Malware

Platform:

W32

Type:

Virus

Aliases:

I-Worm.Lentin.Q
Lentin
W32/Lentin.S@mm
Yaha
Lentin.Q

Summary

This Lentin (also known as Yaha) worm variant appeared on 16th of September 2003. It is an improved variant comparing to previous versions of the worm. Like its previous variants, this one spreads itself in emails, over LAN (local area network), kills tasks of certain programs, logs user's keyboard activities and performs DoS (Denial of Service) attacks on certain sites. The worm can also modify HTML pages on a webserver if it finds it on an infected computer. This variant was most likely a test version of the upcoming Yaha.T worm as some features in this variant were disabled and text strings were not encrypted.

Removal

Technical Details

The worm's file is a Windows PE executable 60688 bytes long compressed with FSG file compressor. The uncompressed worm's size is over 350 kilobytes.

Installation to system

When the worm's file is started, the worm copies itself as EXPLORERE.EXE to Windows System folder and creates a startup keys for this file in System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MicrosoftServiceManager" = "%WinSysDir%\EXPLORERE.EXE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "MicrosoftServiceManager" = "%WinSysDir%\EXPLORERE.EXE"

The worm also copies itself as EXELD32.EXE file to Windows System folder and modifies the default EXE files startup key:

[HKCR\exefile\shell\open\command] @ = "%WinSysDir%\EXELD32.EXE""%1"%*"

where '%WinSysDir%' is Windows System directory name. This way the worm's file is started every time when a user runs an EXE file. Both copied files have a hidden attribute, so they are not seen in Windows Explorer with default settings.

Additionally the worm copies itself as REGE32.EXE to Windows folder and modifies WIN.INI file to make the copied file start during Windows bootup stage. On NT-based systems the worm also writes the startup string into the Registry.

Finally the worm copies itself as MSREGSCANNER.EXE file to the following directory:

\Documents and Settings\All Users\Start Menu\Programs\Startup

This allows the worm's file to start when any user starts Windows.

Spreading in local network

The worm is capable of infecting computers over a local network. Being active, the worm enumerates shared network resources and if it finds the following directories there:

WINDOWS
WIN98
WIN95
WINNT
WIN
WINME
WINXP

it copies as REGE32.EXE to these folders and modifies WIN.INI file there to make the copied file start during Windows bootup stage. Also the worm copies itself as MSREGSCANNER.EXE file to the following directory on remote computers:

\Documents and Settings\All Users\Start Menu\Programs\Startup

This allows the worm's file to start when any user starts Windows on remote system.

Modifying webpages

If the worm finds a webserver (IIS - Internet Information Server) folders on an infected computer, it modifies its HTML pages. The worm looks for *.HTML and *.HTM files in the following folder:

\INETPUB\WWWROOT

and adds a small HTML code to the end of every found webpage, so that the following text is shown when that page is opened:

Ha..Ha..Haaa...

Each webpage may contain one or more string like that.

Keylogger

The worm drops a keylogging DLL from its body and activates it to record all keystrokes of an infected computer's user. The keystrokes are saved into a file that is located in a temporary folder. The worm periodically sends this file to 'keylogs20003@yahoo.com' address together with host name and IP address of an infected computer. The file is sent if it's size is over 30 kilobytes.

Spreading in emails

The worm spreads itself in emails. The emails have randomly selected subjects, body texts and attachment names. The infected emails have fake email addresses in the sender field.

The worm uses the following list of names to construct a fake sender's email address:

Love Inc.
Jericho
Romantic Screensavers
Trend Micro
Norton Antivirus
McAfee Inc.
Jonathan
Noopman
The Rock
britneyspears.org
zporNstarS
Lovers Screensavers
Valentine Screensavers
American Beauty
John Vandervochich
Ross Anderson
Jasmine Stevens
Ralph Jones
Clark Steel
Kyo Kusanagi
Iori Yagami
Terry Bogard
Omega Rugal
KOF Online
Cathy Kindergarten
Jaucques Antonio Barkinstein
Romeo & Juliet
Screensavers of Love
Raveena Pusanova
Zdenka Podkapova
Jenna Jameson
Club Jenna
Veronica Anderson
Benting
Paul Owen
admin@hackers.com
admin@viruswriters.com
admin@hackersclub.com
Nicolas Schwarzeneggar
Keanu Stevenson
Nomadic Screensavers
XXX Screensavers
Hardcore Screensavers
Playboy Inc.
Plus 2
Plus 6
Real Inc.
Sexy Screensavers
Super Soccer
Rocking Stone
SQL Library
Codeproject
Klein Anderson

The worm uses the following list of email addresses to construct a fake sender's email address:

loverscreensavers@love.com
caijob@online.sh.cn
romanticscreensavers@love.com
av_patch@trendmicro.com
av_patch@norton.com
av_patch@mcafee.com
cupid@freescreensavers.com
yjworks@online.sh.cn
samsun@online.sh.cn
ericpan@online.com.pk
therock@wwe.com
newsletters@britneyspears.org
admin@zpornstars.com
screensavers@lovers.com
valentinescreensavers@t2k.com
luoairong@21cn.com
hamada@seikosangyo.com
lubing@7135.com
zhouyuye@citiz.net
admin@kofonline2.com
cathy@21cn.com
super@21cn.com
DNA_seraph@163.com
love@lovescreensavers.com
ravs@go2pussy.com
zdenka@zpornstars.com
jenna@jennajameson.com
admin@clubjenna.com
services@tcsonline2.com
btq@2632.com
paul@kqscore2.com
admin@hackers2.com
admin@viruswriters.com
admin@hackersclub2.com
nics@noma.com
kkn@k2k.comscreensavers@nomadic.com
free@xxxscreensavers.com
free@hardcorescreensavers.com
sales@playboy.com
plus@real.com
sales@real.com
free@sexyscreensavers.com
marketing@suppersoccer.com
stone@esterplaza.com
me@me2K.com
free@sql.library.com
admin@codeproject2.com
kl@aminoprojects.com
The worm uses the following subject lines in the emails that it
sends from an infected system:
Sample Screensavers
Project
Free Screensavers 4 U
Patch for Klez.H
Patch for Elkern.gen
Lovers Corner
Things to note
Wanna be friends ?
Freak Out
WWE Screensavers
Free Screensavers
Free XXX
Free Screenavers of Love
Who is your Valentine
Are you beautiful
Need money ??
Wanna be friends ??
Wanna be friends ??
Free Demo Game
Demo KOF 2002
Play KOF 2002 4 Free
Wanna Rumble ??
Wanna Brawl ??
The King of KOF
Sample KOF 2002
Wanna be friends ??
Wanna Hack ??
Feel the fragrance of Love
Free Screensavers
Free rAVs Screensavers
XXX Screensavers
Jenna 4 U
Screensavers from Club Jenna
Wanna be my sweetheart ??
Whats up
World Tour
One Hacker's Love
One Virus Writer's Story
Visit us
Wanna be a HE-MAN
We want peace
Free Screensavers 4 U
XXX Screensavers 4 U
Hardcore Screensavers 4 U
Sample Playboy
Check it out
Sexy Screensavers 4 U
Are you a Soccer Fan ?
Wanna be like a stone ?
I Love You..
Learn SQL 4 Free
Free Win32 API source
Are you the BEST

The worm uses the following attachment names for its file when it sends itself in emails:

Love.scr
Project.exe
Romantic.scr
FixKlez.com
FixElkern.com
Cupid.scr
Notes.exe
MyPic.scr
FreakOut.exe
THEROCK.scr
Britney_Sample.scr
zXXX_BROWSER.exe
Valentines_Day.scr
Beautifull.scr
Ways_To_Earn_Money.exe
MyProfile.scr
My_Sexy_Pic.scr
KOF.exe
King_of_Figthers.exe
KOF2002.exe
KOF_The_Game.exe
KOF_Demo.exe
KOF_Sample.exe
KOF_Fighting.exe
MyPic.scr
Hacker.scr
Romeo_Juliet.scr
Free_Love_Screensavers.scr
Ravs.scr
zDenka.scr
Jenna_Jemson.scr
Sexy_Jenna.scr
Sweetheart.scr
up_life.scr
World_Tour.scr
Hacker_The_LoveStory.scr
VXer_The_LoveStory.scr
Services.scr
Body_Building.scr
Peace.scr
Screensavers.scr
xxx4Free.scr
Hardcore4Free.scr
Playboy.scr
Plus2.scr
Plus6.scr
Real.scr
Sex.scrSoccer.scr
Stone.scr
I_Love_You.scr
SQL_4_Free.scr
Codeproject.scr
The_Best.scr

The worm uses the following texts in the bodies of email messages that it sends out:

Hello, The attached product is send as a part of our official campaign for the popularity of our product. You have been chosen to try a free fully functional sample of our product.If you are satified then you can send it to your friends. All you have to do is to install the software and register an account with us using the links provided in the software. Then send this software to your friends using your account ID and for each person who registers with us through your account, we will pay you $1.5.Once your account reaches the limit of $50, your payment will be send to your registration address by check or draft. Please note that the registration process is completely free which means by participating in this program you will only gain without loosing anything. Best Regards, Admin, or Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC or Hello, Looking for some Hardcore mind boggling action ? Install the attached browser software and browse across millions of paid hardcore sex sites for free. Using the software you can safely and easily browse across most of the hardcore XXX paid sites across the internet for free. Using it you can also clean all traces of your web browsing from your computer. Note:The attached browser software is made exclusivley for demo only. You can use the software for a limited time of 35 days after which you have to register it at our official website for its furthur use. Regards, Admin. or Hello, I just came across your email ID while searching in the Yahoo profiles. Actually I want a true friend 4 life with whom I can share my everything. So if you are interested in being my friend 4 life then mail me. If you wanna know about me, attached is my profile along with some of my pics. You can check and if you like it then do mail me. I will be waiting for your mail. Best Wishes, Your Friend.. or <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>> This email is never sent unsolicited. If you receive this email then it is because you have subscribed to the official newsletter at the KOF ONLINE website. King Of Fighters is one of the greatest action game ever made. Now after the mind boggling sucess of KOF 2001 SNK proudly presents to you KOF 2002 with 4 new charecters. Even though we need no publicity for our product but this time we have decided to give away a fully functional trial version of KOF 2002. So check out the attached trial version of KOF 2002 and register at our official website to get a free copy of KOF2002 original version Best Regards, Admin,KOF ONLINE.. <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

The worm can also compose messages from from additional string data that is hardcoded in the worm's body.

The worm includes Iframe exploit into the infected messages to make the infected attachment run automatically when a recipient views a message. This exploit works only on older and unpatched versions of certain email clients.

Killing tasks of various software

The worm terminates processes that have the following strings in their names:

_AVP32
_AVP32.EXE
_AVPCC
_AVPCC
_AVPCC.EXE
_AVPM.EXE
AckWin32
AckWin32
ACKWIN32
AckWin32.exe
AckWin32.exe
ACKWIN32.EXE
ADVXDWIN
ADVXDWIN.EXE
agentw.exe
ALERTSVC
ALERTSVC.EXE
ALOGSERV
alogserv
ALOGSERV
alogserv.exe
ALOGSERV.EXE
AMON9X
AMON9X.EXE
ANTI-TROJAN
ANTI-TROJAN.EXE
ANTS.EXE
APVXDWIN
apvxdwin
APVXDWIN.EXE
apvxdwin.exe
ATCON.EXE
ATUPDATER
ATUPDATER.EXE
ATWATCH
ATWATCH.EXE
AUTODOWN
AutoDown
AUTODOWN
AUTODOWN.exe
AutoDown.exe
AUTODOWN.EXE
AutoTrace
AutoTrace.exe
AVCONSOL
AVCONSOL.EXE
AVGCC32
AVGCC32
AVGCC32.EXE
AVGCC32.EXE
AVGCTRL
Avgctrl
AVGCTRL.EXE
Avgctrl.exe
AvgServ
AVGSERV
AvgServ
AVGSERV
AVGSERV.EXE
AVGSERV.EXE
AVGSERV9
AVGSERV9.EXE
AVGW.EXE
avkpop
avkpop.exe
AvkServ
AvkServ.exe
avkservice
avkservice.exe
avkwctl9
avkwctl9.exe
AVP.EXE
AVP32.EXE
avpm.exe
AVPM.EXE
Avsched32
Avsched32.exe
AvSynMgr
AVSYNMGR
AVSYNMGR
AvSynMgr
AVSYNMGR
AVSYNMGR.exe
AVWINNT
AVWINNT.EXE
AVXMONITOR9X
AVXMONITOR9X
AVXMONITOR9X.EXE
AVXMONITOR9X.EXE
AVXMONITORNT
AVXMONITORNT
AVXMONITORNT.EXE
AVXMONITORNT.EXE
AVXQUAR
AVXQUAR
AVXQUAR.EXE
AVXQUAR.EXE.EXE
AVXW.EXE
blackd
BLACKD
blackd.exe
BLACKD.EXE
BlackICE
BlackICE.exe
CDP.EXE
cfgWiz
cfgWiz.exe
Claw95
Claw95
CLAW95
Claw95.exe
Claw95.exe
CLAW95.EXE
Claw95cf
CLAW95CF
Claw95cf.exe
CLAW95CF.EXE
cleaner
cleaner.EXE
cleaner3
cleaner3.EXE
CMGRDIAN
CMGrdian
CMGRDIAN
CMGRDIAN.EXE
CONNECTIONMONITOR
CONNECTIONMONITOR.EXE
cpd.exe
cpd.exe
CPDClnt
CPDCLNT.EXE
CPDClnt.exe
CTRL.EXE
defalert
defalert.exe
defscangui
defscangui.exe
DEFWATCH
DEFWATCH.EXE
DOORS.EXE
DOORS.EXE
DVP95.EXE
DVP95_0
DVP95_0.EXE
EFPEADM
EFPEADM
EFPEADM.exe
EFPEADM.EXE
ETRUSTCIPE
ETRUSTCIPE
ETRUSTCIPE.exe
ETRUSTCIPE.EXE
EVPN.exe
EVPN.EXE
EXPERT
EXPERT.EXE
F-AGNT95
F-AGNT95.EXE
fameh32
fameh32.exe
fch32.exe
fih32.exe
fnrb32
fnrb32.exe
F-PROT
F-PROT.EXE
F-PROT95
F-PROT95.EXE
FP-WIN
FP-WIN.EXE
FRW.EXE
FRW.EXE
fsaa.exe
fsav32
fsav32.exe
fsgk32
fsgk32.exe
fsm32.exe
fsma32
fsma32.exe
fsmb32
fsmb32.exe
f-stopw
F-STOPW
f-stopw.exe
F-STOPW.EXE
gbmenu
gbmenu.exe
GBPOLL
gbpoll
GBPOLL.EXE
gbpoll.exe
GENERICS
GENERICS.EXE
GUARD.EXE
GUARD.EXE
GUARDDOG
GUARDDOG.EXE
iamapp
IAMAPP
IAMAPP
iamapp.exe
IAMAPP.EXE
IAMAPP.EXE
iamserv
IAMSERV
iamserv.exe
IAMSERV.EXE
IAMSTATS
IAMSTATS.EXE
ICLOAD95
ICLOAD95.EXE
ICLOADNT
ICLOADNT
ICLOADNT.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95
ICSUPP95
ICSUPP95.EXE
ICSUPP95.EXE
ICSUPPNT
ICSUPPNT.EXE
IFACE.EXE
IOMON98
IOMON98
IOMON98.EXE
IOMON98.EXE
ISRV95
ISRV95.EXE
JEDI.EXE
LDNETMON
LDNETMON.EXE
LDPROMENU
LDPROMENU.EXE
LDSCAN
LDSCAN.EXE
LOCKDOWN
LOCKDOWN.EXE
lockdown2000
LOCKDOWN2000
lockdown2000.exe
LOCKDOWN2000.EXE
LUALL.EXE
LUCOMSERVER
LUCOMSERVER.EXE
LUSPT.exe
MCAGENT
MCAGENT.EXE
MCMNHDLR
MCMNHDLR.EXE
Mcshield.exe
MCTOOL
MCTOOL.EXE
MCUPDATE
MCUPDATE.EXE
MCVSRTE
MCVSRTE.EXE
MCVSSHLD
MCVSSHLD.EXE
MGAVRTCL
MGAVRTCL.EXE
MGAVRTE
MGAVRTE.EXE
MGHTML
MGHTML.EXE
MINILOG
MINILOG.EXE
Monitor
MONITOR
Monitor.exe
MONITOR.EXE
MOOLIVE
MOOLIVE.EXE
MPFAGENT.EXE
MPFSERVICE
MPFSERVICE.exe
MPFTRAY.EXE
MWATCH
MWATCH
MWATCH.EXE
NAV Auto-Protect
NAV Auto-Protect
navapsvc
navapsvc
NAVAPSVC.EXE
navapsvc.exe
navapw32
NAVAPW32
NAVAPW32.EXE
NAVENGNAVEX15
NAVENGNAVEX15
NAVLU32
NAVLU32.EXE
Navw32
NAVW32
Navw32.exe
NAVWNT
NAVWNT.EXE
NDD32.EXE
NeoWatchLog
NeoWatchLog.exe
NETUTILS
NETUTILS.EXE
NISSERV
NISSERV
NISSERV.EXE
NISSERV.EXE
NISSERV.EXE
NISUM.EXE
NISUM.EXE
NMAIN.EXE
NORMIST
NORMIST
NORMIST.EXE
NORMIST.EXE
notstart
notstart.exe
NPROTECT
NPROTECT.EXE
npscheck
npscheck.exe
NPSSVC
NPSSVC.EXE
NSCHED32
NSCHED32.EXE
ntrtscan
ntrtscan.EXE
NTVDM.EXE
NTXconfig
NTXconfig.exe
Nui.EXE
Nupgrade
Nupgrade.exe
NVC95.EXE
NVC95.EXE
NVSVC32
NVSVC32
NWService
NWService.exe
NWTOOL16
NWTOOL16.EXE
PADMIN
PADMIN.EXE
PAVPROXY
pavproxy
PAVPROXY.EXE
pavproxy.exe
PCCIOMON
PCCIOMON
PCCIOMON.EXE
PCCIOMON.EXE
pccntmon
pccntmon.EXE
pccwin97
pccwin97.EXE
PCCWIN98
PCCWIN98.EXE
pcscan
pcscan.EXE
PERSFW

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.