-=Virus Warning=-

Discussion in 'Windows Desktop Systems' started by SkazzyUK, Nov 6, 2002.

  1. SkazzyUK

    SkazzyUK XP-erience Oldie

    Brighton, West Sussex, UK
    Email I keep getting sent is :

    Subject: indy

    Viruses found in the attached files.
    The attached file indy.xls.scr is infected by I-Worm/Yaha.G. The attachment was moved to the virus vault. The original message follows:
    To activate a cheat, press [F10] during the game and enter its code at the command window. Code Result taklit_marion on God Mode urgon_elsa All Weapons azerim_sophia Health Items nub_willie Free Hints mem Show Memory version Show Game Version polys Show Polygon Rates makemeapi . .

    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002

    As you can see it has a worm, this has been working its way around many unprotected businesses etc, it infests your machine and network then mails itself to all your contacts

    You may have seen it before, it keeps bouncing off of me cos I am protected - god help you if your not, lots of different addresses keep mailing it to me,

    Sorry if its already been said,

  2. you get that where? i never get anything like that.
  3. Hipster Doofus

    Hipster Doofus Good grief Charlie Brown

    Melbourne Australia
    Thanx for the heads up skazzyuk. :)
  4. yo really. what email u got? i do not recall getting any kind of stuff like that.
  5. SkazzyUK

    SkazzyUK XP-erience Oldie

    Brighton, West Sussex, UK
    I'm using outlook xp that came with office xp, I have AVG antivirus which has a Oulook express plugin to stop nasies like that,

    I checked out Symantic and this is what I found out...

    This is exactly what I was sent in the first place but it seems to have got around and now I'm getting e-mails from lots of different people but with different subjects and message bodies..

    W32.Yaha.F@mm is a mass-mailing worm that sends itself to all email addresses that exist in the Microsoft Windows Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain the letters ht. The worm randomly chooses the subject and body of the email message. The attachment will have a .bat, .pif or .scr file extension. Depending upon the name of the Recycled folder, the worm either copies itself to that folder or to the %Windows% folder.

    The name of the file that the worm creates consists of four randomly generated characters between c and y.

    It also attempts to terminate antivirus and firewall processes.

    Removal tool
    Symantec has provided a tool to remove infections of W32.Yaha.E@mm and W32.Yaha.F@mm. Click here to obtain the tool.
    This is the easiest way to remove these threats and should be tried first.

    Also Known As: WORM_YAHA.E [Trend], Worm/Lentin.F [Vexira], W32/Yaha.g@MM [McAfee], Yaha.E [F-Secure], W32/Yaha-E [Sophos], Win32.Yaha.E [CA]
    Type: Worm
    Infection Length: 29,948 bytes
    Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
    Systems Not Affected: Macintosh, Unix, Linux
    CVE References: CVE-2001-0154


    Number of infections: 50 - 999
    Number of sites: More than 10
    Geographical distribution: Medium
    Threat containment: Easy
    Removal: Moderate

    Email routine details
    When the worm runs its email routine, it chooses the URL that it is supposed to have originated from by merging a string from the following set of strings:

    screensaver, screensaver4u, screensaver4u, screensaverforu, freescreensaver, love, lovers, lovescr, loverscreensaver, loversgang, loveshore, love4u, lovers, enjoylove, sharelove, shareit, checkfriends, urfriend, friendscircle, friendship, friends, friendscr, friends, friends4u, friendship4u, friendshipbird, friendshipforu, friendsworld, werfriends, passion, bullsh*tscr, shakeit, shakescr, shakinglove, shakingfriendship, passionup, rishtha, greetings, lovegreetings, friendsgreetings, friendsearch, lovefinder, truefriends, truelovers, or f*cker


    .com, .org, or .net

    For example, it might name the URL Screensaver.com.

    The From field is a randomly-selected email address and may not be the legitimate sender.

    W32.Yaha.F@mm randomly chooses the subject from the following strings:
    "Fw: ", " ", ":)", "!", "!!", "to ur friends", "to ur lovers", "for you", "to see", "to check", "to watch", "to enjoy", "to share", "Screensaver", "Friendship", "Love", "relations", "stuff", "Romantic", "humour", "New", "Wonderfool", "excite", "Cool", "charming", "Idiot", "Nice", "Bullsh*t", "One", "Funny", "Great", "LoveGangs", "Shaking", "powful", "Joke", "Interesting", "U realy Want this", "searching for true Love", "you care ur friend", "Who is ur Best Friend ", "make ur friend happy", "True Love", "Dont wait for long time", "Free Screen saver", "Friendship Screen saver", "Looking for Friendship", "Need a friend?", "Find a good friend", "Best Friends", "I am For u", "Life for enjoyment", "Nothink to worryy", "Ur My Best Friend ", "Say 'I Like You' To ur friend", "Easy Way to revel ur love", "Wowwwwwwwwwww check it", "Send This to everybody u like", "Enjoy Romantic life", "Let's Dance and forget pains", "war Againest Loneliness", "How sweet this Screen saver", "Let's Laugh ", "One Way to Love", "Learn How To Love", "Are you looking for Love", "love speaks from the heart", "Enjoy friendship", "Shake it baby", "Shake ur friends", "One Hackers Love", "Origin of Friendship", "The world of lovers", "The world of Friendship", "Check ur friends Circle", "Friendship", "how are you", "U r the person?", "Hi", or "¯"

    The message will be:


    followed by:

    <iframe src=3Dcid:[SomeCID] height=3D0 width=3D0></iframe>



    This is followed by:


    followed by:


    followed by:

    Check the attachment
    or See the attachement
    or Enjoy the attachement
    or More details attached

    followed by:

    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

    This message was created automatically by mail delivery software (Exim).

    A message that you sent could not be delivered to one or more of its recipients.
    This is a permanent error. The following address(es) failed:[Infected User's e-mail Address]

    For further assistance, please contact < postmaster@[URL of recipient] >
    If you do so, please include this problem report. You can
    delete your own text from the message returned below.

    Copy of your message, including all the headers is attached

    NOTE: In this case, the e-mail message will appear to be from the mailer-daemon@[URL of recpient], also the e-mail attachment will be an eml file that will contain the worm as an attachment.


    Check the Attachement ..
    See u


    Check the Attachement ..


    Attached one Gift for u..



    followed by:
    <Infected Computer's Username>

    ----- Original Message -----
    From: "Random string from above]" < [Random string from above]@[URL constructed above] >
    To: < [Infected User's e-mail Address] >
    Sent: [Infection date and time]
    Subject: [Subject constructed above]

    This e-mail is never sent unsolicited. If you need to unsubscribe,
    follow the instructions at the bottom of the message.
    Enjoy this friendship Screen Saver and Check ur friends circle...
    Send this screensaver from www.[URL constructed above] to everyone you
    consider a FRIEND, even if it means sending it back to the person
    who sent it to you. If it comes back to you, then you'll know you
    have a circle of friends.
    * To remove yourself from this mailing list, point your browser to:
    http://[URL constructed above]/remove?freescreensaver

    * Enter your email address ([infected user's e-mail address]) in the field provided and click "Unsubscribe".


    * Reply to this message with the word "REMOVE" in the subject line.
    This message was sent to address [infected user's e-mail address]
    X-PMG-Recipient: [Infected Username]
    <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
    The message closes with:


    The attachment name is constructed from the following file names:

    followed by:

    with one of the following extensions:

    The worm uses its own SMTP Engine. It attempts to use the infected computer's default SMTP server to send mail. If it cannot find that information, then it uses one of many SMTP server addresses that are hardcoded into the worm.

    NOTE: None of the above mass-mailing characteristics could be reproduced in the lab environment.

    That is the most important stuff, make sure your up to date and backed up,

  6. Ace123

    Ace123 Guest

    Get zone alarm. It can infect me all it wants lol I don have any contacts.. never kept any I'm too lazy hehe
  7. oh well. i just check my yahoo account using IE. now that yahoo doesnt allow free pop3 mail. and aol to get aol mail. pretty simple. and no viruses
  8. Nick M

    Nick M Moderator

    SkazzyUK; thanks for the info; I'll watch out for it.