-=Virus Warning=-

SkazzyUK

XP-erience Oldie
#1
Email I keep getting sent is :

Subject: indy

Viruses found in the attached files.
The attached file indy.xls.scr is infected by I-Worm/Yaha.G. The attachment was moved to the virus vault. The original message follows:
---
To activate a cheat, press [F10] during the game and enter its code at the command window. Code Result taklit_marion on God Mode urgon_elsa All Weapons azerim_sophia Health Items nub_willie Free Hints mem Show Memory version Show Game Version polys Show Polygon Rates makemeapi . .



---
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002


As you can see it has a worm, this has been working its way around many unprotected businesses etc, it infests your machine and network then mails itself to all your contacts

You may have seen it before, it keeps bouncing off of me cos I am protected - god help you if your not, lots of different addresses keep mailing it to me,

Sorry if its already been said,

SkaZZy:D
 
M

mafiafromrussia

Guest
#4
yo really. what email u got? i do not recall getting any kind of stuff like that.
 

SkazzyUK

XP-erience Oldie
#5
I'm using outlook xp that came with office xp, I have AVG antivirus which has a Oulook express plugin to stop nasies like that,

I checked out Symantic and this is what I found out...


This is exactly what I was sent in the first place but it seems to have got around and now I'm getting e-mails from lots of different people but with different subjects and message bodies..

W32.Yaha.F@mm is a mass-mailing worm that sends itself to all email addresses that exist in the Microsoft Windows Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain the letters ht. The worm randomly chooses the subject and body of the email message. The attachment will have a .bat, .pif or .scr file extension. Depending upon the name of the Recycled folder, the worm either copies itself to that folder or to the %Windows% folder.

The name of the file that the worm creates consists of four randomly generated characters between c and y.

It also attempts to terminate antivirus and firewall processes.

Removal tool
Symantec has provided a tool to remove infections of W32.Yaha.E@mm and W32.Yaha.F@mm. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.

Also Known As: WORM_YAHA.E [Trend], Worm/Lentin.F [Vexira], W32/Yaha.g@MM [McAfee], Yaha.E [F-Secure], W32/Yaha-E [Sophos], Win32.Yaha.E [CA]
Type: Worm
Infection Length: 29,948 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154

Wild

Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Moderate

Email routine details
URL:
When the worm runs its email routine, it chooses the URL that it is supposed to have originated from by merging a string from the following set of strings:

screensaver, screensaver4u, screensaver4u, screensaverforu, freescreensaver, love, lovers, lovescr, loverscreensaver, loversgang, loveshore, love4u, lovers, enjoylove, sharelove, shareit, checkfriends, urfriend, friendscircle, friendship, friends, friendscr, friends, friends4u, friendship4u, friendshipbird, friendshipforu, friendsworld, werfriends, passion, bullsh*tscr, shakeit, shakescr, shakinglove, shakingfriendship, passionup, rishtha, greetings, lovegreetings, friendsgreetings, friendsearch, lovefinder, truefriends, truelovers, or f*cker

with:

.com, .org, or .net

For example, it might name the URL Screensaver.com.

From:
The From field is a randomly-selected email address and may not be the legitimate sender.

Subject:
W32.Yaha.F@mm randomly chooses the subject from the following strings:
"Fw: ", " ", ":)", "!", "!!", "to ur friends", "to ur lovers", "for you", "to see", "to check", "to watch", "to enjoy", "to share", "Screensaver", "Friendship", "Love", "relations", "stuff", "Romantic", "humour", "New", "Wonderfool", "excite", "Cool", "charming", "Idiot", "Nice", "Bullsh*t", "One", "Funny", "Great", "LoveGangs", "Shaking", "powful", "Joke", "Interesting", "U realy Want this", "searching for true Love", "you care ur friend", "Who is ur Best Friend ", "make ur friend happy", "True Love", "Dont wait for long time", "Free Screen saver", "Friendship Screen saver", "Looking for Friendship", "Need a friend?", "Find a good friend", "Best Friends", "I am For u", "Life for enjoyment", "Nothink to worryy", "Ur My Best Friend ", "Say 'I Like You' To ur friend", "Easy Way to revel ur love", "Wowwwwwwwwwww check it", "Send This to everybody u like", "Enjoy Romantic life", "Let's Dance and forget pains", "war Againest Loneliness", "How sweet this Screen saver", "Let's Laugh ", "One Way to Love", "Learn How To Love", "Are you looking for Love", "love speaks from the heart", "Enjoy friendship", "Shake it baby", "Shake ur friends", "One Hackers Love", "Origin of Friendship", "The world of lovers", "The world of Friendship", "Check ur friends Circle", "Friendship", "how are you", "U r the person?", "Hi", or "¯"

Message:
The message will be:

<HTML><HEAD></HEAD><BODY>

followed by:

<iframe src=3Dcid:[SomeCID] height=3D0 width=3D0></iframe>

or

[nothing]

This is followed by:

<FONT></FONT>

followed by:

.
.

followed by:

Check the attachment
or See the attachement
or Enjoy the attachement
or More details attached

followed by:

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
or

This message was created automatically by mail delivery software (Exim).

A message that you sent could not be delivered to one or more of its recipients.
This is a permanent error. The following address(es) failed:[Infected User's e-mail Address]

For further assistance, please contact < postmaster@[URL of recipient] >
If you do so, please include this problem report. You can
delete your own text from the message returned below.

Copy of your message, including all the headers is attached

NOTE: In this case, the e-mail message will appear to be from the mailer-daemon@[URL of recpient], also the e-mail attachment will be an eml file that will contain the worm as an attachment.

or

Hi
Check the Attachement ..
See u

or

Hi
Check the Attachement ..

or

Attached one Gift for u..

or

wOW CHECK THIS

followed by:
<Infected Computer's Username>

----- Original Message -----
From: "Random string from above]" < [Random string from above]@[URL constructed above] >
To: < [Infected User's e-mail Address] >
Sent: [Infection date and time]
Subject: [Subject constructed above]

This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************
Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from www.[URL constructed above] to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.
* To remove yourself from this mailing list, point your browser to:
http://[URL constructed above]/remove?freescreensaver

* Enter your email address ([infected user's e-mail address]) in the field provided and click "Unsubscribe".


OR...


* Reply to this message with the word "REMOVE" in the subject line.
This message was sent to address [infected user's e-mail address]
X-PMG-Recipient: [Infected Username]
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
The message closes with:

</BODY></HTML>

Attachment
The attachment name is constructed from the following file names:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love

followed by:
.doc
.mp3
.xls
.wav
.txt
.jpg
.gif
.dat
.bmp
.htm
.mpg
.mdb
.zip

with one of the following extensions:
.pif
.bat
.scr

The worm uses its own SMTP Engine. It attempts to use the infected computer's default SMTP server to send mail. If it cannot find that information, then it uses one of many SMTP server addresses that are hardcoded into the worm.

NOTE: None of the above mass-mailing characteristics could be reproduced in the lab environment.

That is the most important stuff, make sure your up to date and backed up,

SkaZZy:D
 
A

Ace123

Guest
#6
Get zone alarm. It can infect me all it wants lol I don have any contacts.. never kept any I'm too lazy hehe
 
M

mafiafromrussia

Guest
#7
oh well. i just check my yahoo account using IE. now that yahoo doesnt allow free pop3 mail. and aol to get aol mail. pretty simple. and no viruses
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,971
Messages
673,300
Members
89,016
Latest member
Poseeut