Worm:W32/Yaha.S

The worm's file is a Windows PE executable 60688 bytes long compressed with FSG file compressor. The uncompressed worm's size is over 350 kilobytes.

Installation to system

When the worm's file is started, the worm copies itself as EXPLORERE.EXE to Windows System folder and creates a startup keys for this file in System Registry:

• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MicrosoftServiceManager" = "%WinSysDir%\EXPLORERE.EXE"
• [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "MicrosoftServiceManager" = "%WinSysDir%\EXPLORERE.EXE"

The worm also copies itself as EXELD32.EXE file to Windows System folder and modifies the default EXE files startup key:

• [HKCR\exefile\shell\open\command] @ = "%WinSysDir%\EXELD32.EXE""%1"%*"

where '%WinSysDir%' is Windows System directory name. This way the worm's file is started every time when a user runs an EXE file. Both copied files have a hidden attribute, so they are not seen in Windows Explorer with default settings.

Additionally the worm copies itself as REGE32.EXE to Windows folder and modifies WIN.INI file to make the copied file start during Windows bootup stage. On NT-based systems the worm also writes the startup string into the Registry.

Finally the worm copies itself as MSREGSCANNER.EXE file to the following directory:

\Documents and Settings\All Users\Start Menu\Programs\Startup

This allows the worm's file to start when any user starts Windows.

Spreading in local network

The worm is capable of infecting computers over a local network. Being active, the worm enumerates shared network resources and if it finds the following directories there:

• WINDOWS
• WIN98
• WIN95
• WINNT
• WIN
• WINME
• WINXP

it copies as REGE32.EXE to these folders and modifies WIN.INI file there to make the copied file start during Windows bootup stage. Also the worm copies itself as MSREGSCANNER.EXE file to the following directory on remote computers:

\Documents and Settings\All Users\Start Menu\Programs\Startup

This allows the worm's file to start when any user starts Windows on remote system.

Modifying webpages

If the worm finds a webserver (IIS - Internet Information Server) folders on an infected computer, it modifies its HTML pages. The worm looks for *.HTML and *.HTM files in the following folder:

\INETPUB\WWWROOT

and adds a small HTML code to the end of every found webpage, so that the following text is shown when that page is opened:

Ha..Ha..Haaa...

Each webpage may contain one or more string like that.

Keylogger

The worm drops a keylogging DLL from its body and activates it to record all keystrokes of an infected computer's user. The keystrokes are saved into a file that is located in a temporary folder. The worm periodically sends this file to 'keylogs20003@yahoo.com' address together with host name and IP address of an infected computer. The file is sent if it's size is over 30 kilobytes.

Spreading in emails

The worm spreads itself in emails. The emails have randomly selected subjects, body texts and attachment names. The infected emails have fake email addresses in the sender field.

The worm uses the following list of names to construct a fake sender's email address:

• Love Inc.
• Jericho
• Romantic Screensavers
• Trend Micro
• Norton Antivirus
• McAfee Inc.
• Jonathan
• Noopman
• The Rock
• britneyspears.org
• zporNstarS
• Lovers Screensavers
• Valentine Screensavers
• American Beauty
• John Vandervochich
• Ross Anderson
• Jasmine Stevens
• Ralph Jones
• Clark Steel
• Kyo Kusanagi
• Iori Yagami
• Terry Bogard
• Omega Rugal
• KOF Online
• Cathy Kindergarten
• Jaucques Antonio Barkinstein
• Romeo & Juliet
• Screensavers of Love
• Raveena Pusanova
• Zdenka Podkapova
• Jenna Jameson
• Club Jenna
• Veronica Anderson
• Benting
• Paul Owen
• admin@hackers.com
• admin@viruswriters.com
• admin@hackersclub.com
• Nicolas Schwarzeneggar
• Keanu Stevenson
• Nomadic Screensavers
• XXX Screensavers
• Hardcore Screensavers
• Playboy Inc.
• Plus 2
• Plus 6
• Real Inc.
• Sexy Screensavers
• Super Soccer
• Rocking Stone
• SQL Library
• Codeproject
• Klein Anderson

The worm uses the following list of email addresses to construct a fake sender's email address:

• loverscreensavers@love.com
• caijob@online.sh.cn
• romanticscreensavers@love.com
• av_patch@trendmicro.com
• av_patch@norton.com
• av_patch@mcafee.com
• cupid@freescreensavers.com
• yjworks@online.sh.cn
• samsun@online.sh.cn
• ericpan@online.com.pk
• therock@wwe.com
• newsletters@britneyspears.org
• admin@zpornstars.com
• screensavers@lovers.com
• valentinescreensavers@t2k.com
• luoairong@21cn.com
• hamada@seikosangyo.com
• lubing@7135.com
• zhouyuye@citiz.net
• admin@kofonline2.com
• cathy@21cn.com
• super@21cn.com
• DNA_seraph@163.com
• love@lovescreensavers.com
• ravs@go2pussy.com
• zdenka@zpornstars.com
• jenna@jennajameson.com
• admin@clubjenna.com
• services@tcsonline2.com
• btq@2632.com
• paul@kqscore2.com
• admin@hackers2.com
• admin@viruswriters.com
• admin@hackersclub2.com
• nics@noma.com
• kkn@k2k.comscreensavers@nomadic.com
• free@xxxscreensavers.com
• free@hardcorescreensavers.com
• sales@playboy.com
• plus@real.com
• sales@real.com
• free@sexyscreensavers.com
• marketing@suppersoccer.com
• stone@esterplaza.com
• me@me2K.com
• free@sql.library.com
• admin@codeproject2.com
• kl@aminoprojects.com
• The worm uses the following subject lines in the emails that it
• sends from an infected system:
• Sample Screensavers
• Project
• Free Screensavers 4 U
• Patch for Klez.H
• Patch for Elkern.gen
• Lovers Corner
• Things to note
• Wanna be friends ?
• Freak Out
• WWE Screensavers
• Free Screensavers
• Free XXX
• Free Screenavers of Love
• Who is your Valentine
• Are you beautiful
• Need money ??
• Wanna be friends ??
• Wanna be friends ??
• Free Demo Game
• Demo KOF 2002
• Play KOF 2002 4 Free
• Wanna Rumble ??
• Wanna Brawl ??
• The King of KOF
• Sample KOF 2002
• Wanna be friends ??
• Wanna Hack ??
• Feel the fragrance of Love
• Free Screensavers
• Free rAVs Screensavers
• XXX Screensavers
• Jenna 4 U
• Screensavers from Club Jenna
• Wanna be my sweetheart ??
• Whats up
• World Tour
• One Hacker's Love
• One Virus Writer's Story
• Visit us
• Wanna be a HE-MAN
• We want peace
• Free Screensavers 4 U
• XXX Screensavers 4 U
• Hardcore Screensavers 4 U
• Sample Playboy
• Check it out
• Sexy Screensavers 4 U
• Are you a Soccer Fan ?
• Wanna be like a stone ?
• I Love You..
• Learn SQL 4 Free
• Free Win32 API source
• Are you the BEST

The worm uses the following attachment names for its file when it sends itself in emails:

• Love.scr
• Project.exe
• Romantic.scr
• FixKlez.com
• FixElkern.com
• Cupid.scr
• Notes.exe
• MyPic.scr
• FreakOut.exe
• THEROCK.scr
• Britney_Sample.scr
• zXXX_BROWSER.exe
• Valentines_Day.scr
• Beautifull.scr
• Ways_To_Earn_Money.exe
• MyProfile.scr
• My_Sexy_Pic.scr
• KOF.exe
• King_of_Figthers.exe
• KOF2002.exe
• KOF_The_Game.exe
• KOF_Demo.exe
• KOF_Sample.exe
• KOF_Fighting.exe
• MyPic.scr
• Hacker.scr
• Romeo_Juliet.scr
• Free_Love_Screensavers.scr
• Ravs.scr
• zDenka.scr
• Jenna_Jemson.scr
• Sexy_Jenna.scr
• Sweetheart.scr
• up_life.scr
• World_Tour.scr
• Hacker_The_LoveStory.scr
• VXer_The_LoveStory.scr
• Services.scr
• Body_Building.scr
• Peace.scr
• Screensavers.scr
• xxx4Free.scr
• Hardcore4Free.scr
• Playboy.scr
• Plus2.scr
• Plus6.scr
• Real.scr
• Sex.scrSoccer.scr
• Stone.scr
• I_Love_You.scr
• SQL_4_Free.scr
• Codeproject.scr
• The_Best.scr

The worm uses the following texts in the bodies of email messages that it sends out:

Hello, The attached product is send as a part of our official campaign for the popularity of our product. You have been chosen to try a free fully functional sample of our product.If you are satified then you can send it to your friends. All you have to do is to install the software and register an account with us using the links provided in the software. Then send this software to your friends using your account ID and for each person who registers with us through your account, we will pay you $1.5.Once your account reaches the limit of $50, your payment will be send to your registration address by check or draft. Please note that the registration process is completely free which means by participating in this program you will only gain without loosing anything. Best Regards, Admin, or Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC or Hello, Looking for some Hardcore mind boggling action ? Install the attached browser software and browse across millions of paid hardcore sex sites for free. Using the software you can safely and easily browse across most of the hardcore XXX paid sites across the internet for free. Using it you can also clean all traces of your web browsing from your computer. Note:The attached browser software is made exclusivley for demo only. You can use the software for a limited time of 35 days after which you have to register it at our official website for its furthur use. Regards, Admin. or Hello, I just came across your email ID while searching in the Yahoo profiles. Actually I want a true friend 4 life with whom I can share my everything. So if you are interested in being my friend 4 life then mail me. If you wanna know about me, attached is my profile along with some of my pics. You can check and if you like it then do mail me. I will be waiting for your mail. Best Wishes, Your Friend.. or <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>> This email is never sent unsolicited. If you receive this email then it is because you have subscribed to the official newsletter at the KOF ONLINE website. King Of Fighters is one of the greatest action game ever made. Now after the mind boggling sucess of KOF 2001 SNK proudly presents to you KOF 2002 with 4 new charecters. Even though we need no publicity for our product but this time we have decided to give away a fully functional trial version of KOF 2002. So check out the attached trial version of KOF 2002 and register at our official website to get a free copy of KOF2002 original version Best Regards, Admin,KOF ONLINE.. <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

The worm can also compose messages from from additional string data that is hardcoded in the worm's body.

The worm includes Iframe exploit into the infected messages to make the infected attachment run automatically when a recipient views a message. This exploit works only on older and unpatched versions of certain email clients.

Killing tasks of various software

The worm terminates processes that have the following strings in their names:

• _AVP32
• _AVP32.EXE
• _AVPCC
• _AVPCC
• _AVPCC.EXE
• _AVPM.EXE
• AckWin32
• AckWin32
• ACKWIN32
• AckWin32.exe
• AckWin32.exe
• ACKWIN32.EXE
• ADVXDWIN
• ADVXDWIN.EXE
• agentw.exe
• ALERTSVC
• ALERTSVC.EXE
• ALOGSERV
• alogserv
• ALOGSERV
• alogserv.exe
• ALOGSERV.EXE
• AMON9X
• AMON9X.EXE
• ANTI-TROJAN
• ANTI-TROJAN.EXE
• ANTS.EXE
• APVXDWIN
• apvxdwin
• APVXDWIN.EXE
• apvxdwin.exe
• ATCON.EXE
• ATUPDATER
• ATUPDATER.EXE
• ATWATCH
• ATWATCH.EXE
• AUTODOWN
• AutoDown
• AUTODOWN
• AUTODOWN.exe
• AutoDown.exe
• AUTODOWN.EXE
• AutoTrace
• AutoTrace.exe
• AVCONSOL
• AVCONSOL.EXE
• AVGCC32
• AVGCC32
• AVGCC32.EXE
• AVGCC32.EXE
• AVGCTRL
• Avgctrl
• AVGCTRL.EXE
• Avgctrl.exe
• AvgServ
• AVGSERV
• AvgServ
• AVGSERV
• AVGSERV.EXE
• AVGSERV.EXE
• AVGSERV9
• AVGSERV9.EXE
• AVGW.EXE
• avkpop
• avkpop.exe
• AvkServ
• AvkServ.exe
• avkservice
• avkservice.exe
• avkwctl9
• avkwctl9.exe
• AVP.EXE
• AVP32.EXE
• avpm.exe
• AVPM.EXE
• Avsched32
• Avsched32.exe
• AvSynMgr
• AVSYNMGR
• AVSYNMGR
• AvSynMgr
• AVSYNMGR
• AVSYNMGR.exe
• AVWINNT
• AVWINNT.EXE
• AVXMONITOR9X
• AVXMONITOR9X
• AVXMONITOR9X.EXE
• AVXMONITOR9X.EXE
• AVXMONITORNT
• AVXMONITORNT
• AVXMONITORNT.EXE
• AVXMONITORNT.EXE
• AVXQUAR
• AVXQUAR
• AVXQUAR.EXE
• AVXQUAR.EXE.EXE
• AVXW.EXE
• blackd
• BLACKD
• blackd.exe
• BLACKD.EXE
• BlackICE
• BlackICE.exe
• CDP.EXE
• cfgWiz
• cfgWiz.exe
• Claw95
• Claw95
• CLAW95
• Claw95.exe
• Claw95.exe
• CLAW95.EXE
• Claw95cf
• CLAW95CF
• Claw95cf.exe
• CLAW95CF.EXE
• cleaner
• cleaner.EXE
• cleaner3
• cleaner3.EXE
• CMGRDIAN
• CMGrdian
• CMGRDIAN
• CMGRDIAN.EXE
• CONNECTIONMONITOR
• CONNECTIONMONITOR.EXE
• cpd.exe
• cpd.exe
• CPDClnt
• CPDCLNT.EXE
• CPDClnt.exe
• CTRL.EXE
• defalert
• defalert.exe
• defscangui
• defscangui.exe
• DEFWATCH
• DEFWATCH.EXE
• DOORS.EXE
• DOORS.EXE
• DVP95.EXE
• DVP95_0
• DVP95_0.EXE
• EFPEADM
• EFPEADM
• EFPEADM.exe
• EFPEADM.EXE
• ETRUSTCIPE
• ETRUSTCIPE
• ETRUSTCIPE.exe
• ETRUSTCIPE.EXE
• EVPN.exe
• EVPN.EXE
• EXPERT
• EXPERT.EXE
• F-AGNT95
• F-AGNT95.EXE
• fameh32
• fameh32.exe
• fch32.exe
• fih32.exe
• fnrb32
• fnrb32.exe
• F-PROT
• F-PROT.EXE
• F-PROT95
• F-PROT95.EXE
• FP-WIN
• FP-WIN.EXE
• FRW.EXE
• FRW.EXE
• fsaa.exe
• fsav32
• fsav32.exe
• fsgk32
• fsgk32.exe
• fsm32.exe
• fsma32
• fsma32.exe
• fsmb32
• fsmb32.exe
• f-stopw
• F-STOPW
• f-stopw.exe
• F-STOPW.EXE
• gbmenu
• gbmenu.exe
• GBPOLL
• gbpoll
• GBPOLL.EXE
• gbpoll.exe
• GENERICS
• GENERICS.EXE
• GUARD.EXE
• GUARD.EXE
• GUARDDOG
• GUARDDOG.EXE
• iamapp
• IAMAPP
• IAMAPP
• iamapp.exe
• IAMAPP.EXE
• IAMAPP.EXE
• iamserv
• IAMSERV
• iamserv.exe
• IAMSERV.EXE
• IAMSTATS
• IAMSTATS.EXE
• ICLOAD95
• ICLOAD95.EXE
• ICLOADNT
• ICLOADNT
• ICLOADNT.EXE
• ICLOADNT.EXE
• ICMON.EXE
• ICSUPP95
• ICSUPP95
• ICSUPP95.EXE
• ICSUPP95.EXE
• ICSUPPNT
• ICSUPPNT.EXE
• IFACE.EXE
• IOMON98
• IOMON98
• IOMON98.EXE
• IOMON98.EXE
• ISRV95
• ISRV95.EXE
• JEDI.EXE
• LDNETMON
• LDNETMON.EXE
• LDPROMENU
• LDPROMENU.EXE
• LDSCAN
• LDSCAN.EXE
• LOCKDOWN
• LOCKDOWN.EXE
• lockdown2000
• LOCKDOWN2000
• lockdown2000.exe
• LOCKDOWN2000.EXE
• LUALL.EXE
• LUCOMSERVER
• LUCOMSERVER.EXE
• LUSPT.exe
• MCAGENT
• MCAGENT.EXE
• MCMNHDLR
• MCMNHDLR.EXE
• Mcshield.exe
• MCTOOL
• MCTOOL.EXE
• MCUPDATE
• MCUPDATE.EXE
• MCVSRTE
• MCVSRTE.EXE
• MCVSSHLD
• MCVSSHLD.EXE
• MGAVRTCL
• MGAVRTCL.EXE
• MGAVRTE
• MGAVRTE.EXE
• MGHTML
• MGHTML.EXE
• MINILOG
• MINILOG.EXE
• Monitor
• MONITOR
• Monitor.exe
• MONITOR.EXE
• MOOLIVE
• MOOLIVE.EXE
• MPFAGENT.EXE
• MPFSERVICE
• MPFSERVICE.exe
• MPFTRAY.EXE
• MWATCH
• MWATCH
• MWATCH.EXE
• NAV Auto-Protect
• NAV Auto-Protect
• navapsvc
• navapsvc
• NAVAPSVC.EXE
• navapsvc.exe
• navapw32
• NAVAPW32
• NAVAPW32.EXE
• NAVENGNAVEX15
• NAVENGNAVEX15
• NAVLU32
• NAVLU32.EXE
• Navw32
• NAVW32
• Navw32.exe
• NAVWNT
• NAVWNT.EXE
• NDD32.EXE
• NeoWatchLog
• NeoWatchLog.exe
• NETUTILS
• NETUTILS.EXE
• NISSERV
• NISSERV
• NISSERV.EXE
• NISSERV.EXE
• NISSERV.EXE
• NISUM.EXE
• NISUM.EXE
• NMAIN.EXE
• NORMIST
• NORMIST
• NORMIST.EXE
• NORMIST.EXE
• notstart
• notstart.exe
• NPROTECT
• NPROTECT.EXE
• npscheck
• npscheck.exe
• NPSSVC
• NPSSVC.EXE
• NSCHED32
• NSCHED32.EXE
• ntrtscan
• ntrtscan.EXE
• NTVDM.EXE
• NTXconfig
• NTXconfig.exe
• Nui.EXE
• Nupgrade
• Nupgrade.exe
• NVC95.EXE
• NVC95.EXE
• NVSVC32
• NVSVC32
• NWService
• NWService.exe
• NWTOOL16
• NWTOOL16.EXE
• PADMIN
• PADMIN.EXE
• PAVPROXY
• pavproxy
• PAVPROXY.EXE
• pavproxy.exe
• PCCIOMON
• PCCIOMON
• PCCIOMON.EXE
• PCCIOMON.EXE
• pccntmon
• pccntmon.EXE
• pccwin97
• pccwin97.EXE
• PCCWIN98
• PCCWIN98.EXE
• pcscan
• pcscan.EXE
• PERSFW