Threat Description

Yarner

Details

Aliases: Win32/Yarner, I-Worm.Yarner, W32/Yarner
Category: Malware
Type: Virus
Platform: W32

Summary



Yarner is an e-mail worm that first appeared in the wild in Germany on 19th of February 2002. The worm is a PE EXE file 437 kilobytes long, it is written in Delphi and its code is not compressed.



Removal



To disinfect the worm it is enough to delete all its files from a hard drive and to delete all infected messages from e-mail client's incoming e-mail database. As some of worm's files have random names, they can be only found with F-Secure Anti-Virus and the latest updates.

You can download a trial version of F-Secure Anti-Virus with the latest updates from our website:

Http://www.europe.f-secure.com/download-purchase/

Install FSAV, apply the latest updates and scan your Windows directory for infection. When the worm's file is found, select 'Delete' disinfection action. Warning! If an infection is found in an e-mail database, not in an EXE file, do NOT delete it as you will loose all your e-mails.

If a worm's file is locked and can't be deleted instantly, you will have to delete it from pure DOS (for Windows 9x systems) or rename it with a different extension (.EXA for example) with immediate system restart (for NT-based systems).

If an infection is found in your Windows ME or XP System Restore folder (usually '_Restore' directory), you will have to disable System Restore functionality of your Windows to avoid re-infection.

Finally rename NOTEDPAD.EXE back to NOTEPAD.EXE in Windows directory.



Technical Details



Seven variants of Yarner worm are currently known. They have the same functionality and the text of messages they spread with is the same too.

Being run, the worm installs itself to system. It copies itself with a random name, 'sdShdaaLEKJkasjhe.exe' for example, into Windows directory and creates a startup key in the Registry to make sure that it is always activated when Windows starts:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] 
 

The name of the key is random and its value contains the path to the worm's file in Windows directory. The worm also copies itself as NOTEPAD.EXE into Windows directory renaming the original Notepad file with NOTEDPAD.EXE name.

Then the worm starts to search for *.PHP, *.HTM, *.SHTM, *.CGI and *.PL files and looks for e-mail addresses in them. The worm also checks Outlook Address Book for e-mail addresses. The worm creates 2 files in Windows directory: KERNEI32.DAA and KERNEI32.DAS where it stores e-mail addresses and SMTP server names.

After collecting e-mail addresses, the worm gets SMTP server name from the Internet Account Manager data in the Registry and sends itself to all e-mail addresses it could find with the following message:

From: webmaster@trojaner-info.de 
 Subject: Trojaner-Info Newsletter 
 Attachment: yawsetup.exe 
 Body: 
Hallo !
Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de. 
 Hier die Themen im Ueberblick: 
 1. YAW 2.0 - Unser Dialerwarner in neuer Version     
 ************************************           
   1. YAW 2.0 - Unser Dialerwarner in neuer Version 
 Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. 
 YAW ist nun in einer brandneuen und stark erweiterten Version verfuegbar. 
Alle unsere Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter. 
Also einfach die angehaengte Datei starten und YAW 2.0 installieren. 
Bei Fragen steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak unter andreas@ants-online.de zur Verf?gung. Viel Spa? mit YAW! 
 
 
 ************************************          
 Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir 
 bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine 
 angenehme Woche.
 Mit freundlichem Gruss      
			         Thomas Tietz & Andreas Ebert     
					 
     ************************************ 
 Anzahl der Subscriber: 5.966 
 Durchschnittliche Besuchzahl/Tag: 4.488 
 Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer 
 Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber 
 abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du 
 diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine 
 entsprechende E-Mail. 
 ************************************  
 

The 'From' field can contain an e-mail of an infected user instead of 'webmaster@trojaner-info.de' e-mail address.

After spreading the worm might (one chance out of ten) delete all files from a hard drive where Windows is installed.

F-Secure Anti-Virus detects all known variants of Yarner worm with updates published on 19th of February 2002.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More