Win32/Yaha.E

Win32/Yaha.E je Internetov²m wormem kter² se Üφ°φ pomocφ elektronickΘ poÜty. Kdy₧ je na danΘm poΦφtaΦi poprvΘ spuÜt∞n, p°edstφrß Φinnost Üet°iΦe obrazovky tak, ₧e opakovan∞ zobrazuje nßsledujφcφ texty v r∙zn²ch barvßch: 
U r so cute today "!"!
True Love never ends
I like U very much!!!
U r My Best Friend 
Worm vytvß°φ kopii sama sebe v adresß°i Recycle. takΘ do Registry p°idß nßsledujφcφ klφΦ, kter² mß za ·kol zajistit spuÜt∞nφ wormu poka₧dΘ, kdy₧ je spouÜt∞n soubor typu EXE: 
HKLM\Software\CLASSES\exefile\shell\open\command\default 

V adresß°i Windows jsou vytvo°eny dva dalÜφ soubory s nßhodn²m jmΘnem: prvnφ z nich mß p°φponu DLL a obsahuje seznam emailov²ch adres, kterΘ byly na infikovanΘm poΦφtaΦi nalezeny. Druh² soubor mß p°φponu TXT a obsahuje  text "iNDian sNakes pResents yAha.E"

Worm se pokouÜφ vy°adit z Φinnosti n∞kterΘ bezpeΦnostnφ a antivirovΘ programy: nap°φklad Zonealarm, AVP, Mcafee,  Norton, Fprot, PCcillin a n∞kolik dalÜφch.

Infikovanß zprßva, zasφlanß virem, je velmi variabilnφ. P°edm∞t zprßvy je tvo°en kombinacφ nßsledujφcφch slov a frßzφ: 

"searching for true Love" " you care ur friend" "Who is ur Best Friend" "make ur friend happy" "True Love" "Dont wait for long time" "Free Screen saver" "Friendship Screen saver" "Looking for Friendship" "Need a friend?" "Find a good friend" "Best Friends" "I am For u" "Life for enjoyment" "Nothink to worryy" "Ur My Best Friend" "Say 'I Like You' To ur friend" "Easy Way to revel ur love" "Wowwwwwwwwwww check it" "Send This to everybody u like" "Enjoy Romantic life" "Let's Dance and forget pains" "war Againest Loneliness" "How sweet this Screen saver" "Let's Laugh" "One Way to Love" "Learn How To Love" "Are you looking for Love" "love speaks from the heart" "Enjoy friendship" "Shake it baby" "Shake ur friends" "One Hackers Love" "Origin of Friendship" "The world of lovers" "The world of Friendship" "Check ur friends Circle" "Friendship" "how are you" "U r the person?" "Hi" "U realy Want this" "Romantic" "humour" "New" "Wonderfool" "excite" "Cool" "charming" "Idiot" "Nice" "Bullshit" "One" "Funny" "Great" "LoveGangs" "Shaking" "powful" "Joke" "Interesting" "Interesting" "Screensaver" "Friendship" "Love" "relations" "stuff" "to ur friends" "to ur lovers" "for you" "to see" "to check" "to watch" "to enjoy" "to share"

Vlastnφ t∞lo zprßvy obsahuje text: 
"Hi Check the Attachment .. See u" 
Φi 
"Attached one Gift for u.." 
Φi 
"wOW CHECK THIS" 
a dalÜφ text, kter² vypadß jako forwardovanß zprßva. Zprßva v₧dy obsahuje nßsledujφcφ text: 

This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
*********************************************************** 

Enjoy this friendship Screen Saver and Check ur friends circle... 

Send this screensaver from <web address> to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends. 

P°ipojen² soubor mß dv∞ p°φpony - ta druhß a pro systΘm d∙le₧itß je bu∩ pif, bat nebo scr. Vlastnφ jmΘno souboru je jedno z nßsledujφcφho seznamu: 
screensaver screensaver4u screensaver4u screensaverforu freescreensaver love lovers lovescr loverscreensaver loversgang loveshore love4u lovers enjoylove sharelove shareit checkfriends urfriend friendscircle friendship friends friendscr friends friends4u friendship4u friendshipbird friendshipforu friendsworld werfriends passion bullshitscr shakeit shakescr shakinglove shakingfriendship passionup rishtha
greetings lovegreetings friendsgreetings friendsearch lovefinder truefriends truelovers fucker loveletter resume biodata dailyreport mountan goldfish weeklyreport report love 

Worm  pou₧φvß vlastnφ SMTP rutinu a zprßvu odesφlß bu∩ p°es SMTP server u₧ivatele nebo p°es jeden ze server∙, jejich₧ seznam si nese sßm v sob∞.

Zdroj: Alwil software - v²robce antiviru AVAST

Jedno·Φelov² antivirus:

Win32/Yaha.E, .F, .K, .L
  • Popis/pou₧itφ: Z Windows.

    		•

    N∞kolik dobr²ch rad:

    P°ed pou₧itφm jedno·Φelov²ch antivir∙ je vhodnΘ vypnout stßvajφcφ antivirov² systΘm a to p°edevÜφm on-access skener (Φasto oznaΦovßn jako rezidentnφ Ütφt).

    Pokud jde o hojn∞ pou₧φvan² antivirus AVG 6.0, pak se onen rezidentnφ Ütφt vypφnß zaÜkrtßvacφ volbou v jednΘ ze zßlo₧ek AVG Control Center (ikonka na liÜt∞ vpravo dole). ╚ty°barevnß ikonka by m∞la zeÜednout.

    Ve Windows XP a ME je taktΘ₧ vhodnΘ vypnout funkci OBNOVA SYST╔MU (RESTORE SYSTEM), kterß by pozd∞ji brßnila smazßnφ infikovan²ch soubor∙, kterΘ "uvφzly" v adresß°φch _RESTORE (Windows ME) nebo SYSTEM INFORMATION VOLUME (Windows XP).

    Postup pro Windows ME:

  • Klikn∞te prav²m tlaΦφtkem myÜi na ikonu TENTO PO╚═TA╚ (MY COMPUTER) a zvolte z nabφdky VLASTNOSTI (PROPERTIES).
  • P°epn∞te se do zßlo₧ky V▌KON (PERFORMANCE) a stiskn∞te tlaΦφtko SOUBOROV▌ SYST╔M (FILE SYSTEM).
  • Zde se p°esu≥te na zßlo₧ku P╪I POT═Ä═CH (TROUBLESHOOTING) a zaÜkrtn∞te poslednφ volbu - ZAK┴ZAT OBNOVU SYST╔MU (DISABLE SYSTEM RESTORE).
  • VÜe potvr∩te tlaΦφtkem OK, Windows se restartuje.

    Postup pro Windows XP:

  • Klikn∞te prav²m tlaΦφtkem myÜi na ikonu TENTO PO╚═TA╚ (MY COMPUTER).
  • Zvolte VLASTNOSTI (PROPERTIES) a nalistujte zßlo₧ku OBNOVEN═ SYST╔MU (SYSTEM RESTORE).
  • Zatrhn∞te volbu VYPNOUT N┴STROJ OBNOVEN═ SYST╔MU NA VèECH JEDNOTK┴CH.
  • Potvr∩te, Windows provede restart.