Classification

Category :

Malware

Type :

Virus

Aliases :

Win32/Yarner, I-Worm.Yarner, W32/Yarner

Summary

Yarner is an email worm that first appeared in the wild in Germany on 19th of February 2002. The worm is a PE EXE file 437 kilobytes long, it is written in Delphi and its code is not compressed.

Removal

To disinfect the worm it is enough to delete all its files from a hard drive and to delete all infected messages from email client's incoming email database. As some of worm's files have random names, they can be only found with F-Secure Anti-Virus and the latest updates.

You can download a trial version of F-Secure Anti-Virus with the latest updates from our website:

Http://www.europe.f-secure.com/download-purchase/

Install FSAV, apply the latest updates and scan your Windows directory for infection. When the worm's file is found, select 'Delete' disinfection action. Warning! If an infection is found in an email database, not in an EXE file, do NOT delete it as you will loose all your emails.

If a worm's file is locked and can't be deleted instantly, you will have to delete it from pure DOS (for Windows 9x systems) or rename it with a different extension (.EXA for example) with immediate system restart (for NT-based systems).

If an infection is found in your Windows ME or XP System Restore folder (usually '_Restore' directory), you will have to disable System Restore functionality of your Windows to avoid re-infection.

Finally rename NOTEDPAD.EXE back to NOTEPAD.EXE in Windows directory.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Seven variants of Yarner worm are currently known. They have the same functionality and the text of messages they spread with is the same too.

Being run, the worm installs itself to system. It copies itself with a random name, 'sdShdaaLEKJkasjhe.exe' for example, into Windows directory and creates a startup key in the Registry to make sure that it is always activated when Windows starts:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

The name of the key is random and its value contains the path to the worm's file in Windows directory. The worm also copies itself as NOTEPAD.EXE into Windows directory renaming the original Notepad file with NOTEDPAD.EXE name.

Then the worm starts to search for *.PHP, *.HTM, *.SHTM, *.CGI and *.PL files and looks for email addresses in them. The worm also checks Outlook Address Book for email addresses. The worm creates 2 files in Windows directory: KERNEI32.DAA and KERNEI32.DAS where it stores email addresses and SMTP server names.

After collecting email addresses, the worm gets SMTP server name from the Internet Account Manager data in the Registry and sends itself to all email addresses it could find with the following message:

From: webmaster@trojaner-info.de
 Subject: Trojaner-Info Newsletter
 Attachment: yawsetup.exe
 Body:
Hallo ! Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de.
 Hier die Themen im Ueberblick:
 1. YAW 2.0 - Unser Dialerwarner in neuer Version ************************************
 1. YAW 2.0 - Unser Dialerwarner in neuer Version
 Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW.
 YAW ist nun in einer brandneuen und stark erweiterten Version verfuegbar.
Alle unsere Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter.
Also einfach die angehaengte Datei starten und YAW 2.0 installieren.
Bei Fragen steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak unter andreas@ants-online.de zur Verf?gung. Viel Spa? mit YAW! ************************************Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir
 bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine
 angenehme Woche.
Mit freundlichem Gruss 			
 Thomas Tietz & Andreas Ebert					 ************************************
 Anzahl der Subscriber: 5.966
 Durchschnittliche Besuchzahl/Tag: 4.488
 Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer
 Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber
 abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du
 diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine
 entsprechende email.
 ************************************

 

The 'From' field can contain an email of an infected user instead of 'webmaster@trojaner-info.de' email address.

After spreading the worm might (one chance out of ten) delete all files from a hard drive where Windows is installed.

F-Secure Anti-Virus detects all known variants of Yarner worm with updates published on 19th of February 2002.