I'm using outlook xp that came with office xp, I have AVG antivirus which has a Oulook express plugin to stop nasies like that,
I checked out Symantic and this is what I found out...
This is exactly what I was sent in the first place but it seems to have got around and now I'm getting e-mails from lots of different people but with different subjects and message bodies..
W32.Yaha.F@mm is a mass-mailing worm that sends itself to all email addresses that exist in the Microsoft Windows Address Book, the MSN Messenger List, the Yahoo Pager list, the ICQ list, and files that have extensions that contain the letters ht. The worm randomly chooses the subject and body of the email message. The attachment will have a .bat, .pif or .scr file extension. Depending upon the name of the Recycled folder, the worm either copies itself to that folder or to the %Windows% folder.
The name of the file that the worm creates consists of four randomly generated characters between c and y.
It also attempts to terminate antivirus and firewall processes.
Removal tool
Symantec has provided a tool to remove infections of W32.Yaha.E@mm and W32.Yaha.F@mm. Click here to obtain the tool.
This is the easiest way to remove these threats and should be tried first.
Also Known As: WORM_YAHA.E [Trend], Worm/Lentin.F [Vexira], W32/Yaha.g@MM [McAfee], Yaha.E [F-Secure], W32/Yaha-E [Sophos], Win32.Yaha.E [CA]
Type: Worm
Infection Length: 29,948 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154
Wild
Number of infections: 50 - 999
Number of sites: More than 10
Geographical distribution: Medium
Threat containment: Easy
Removal: Moderate
Email routine details
URL:
When the worm runs its email routine, it chooses the URL that it is supposed to have originated from by merging a string from the following set of strings:
screensaver, screensaver4u, screensaver4u, screensaverforu, freescreensaver, love, lovers, lovescr, loverscreensaver, loversgang, loveshore, love4u, lovers, enjoylove, sharelove, shareit, checkfriends, urfriend, friendscircle, friendship, friends, friendscr, friends, friends4u, friendship4u, friendshipbird, friendshipforu, friendsworld, werfriends, passion, bullsh*tscr, shakeit, shakescr, shakinglove, shakingfriendship, passionup, rishtha, greetings, lovegreetings, friendsgreetings, friendsearch, lovefinder, truefriends, truelovers, or f*cker
with:
.com, .org, or .net
For example, it might name the URL Screensaver.com.
From:
The From field is a randomly-selected email address and may not be the legitimate sender.
Subject:
W32.Yaha.F@mm randomly chooses the subject from the following strings:
"Fw: ", " ", "
", "!", "!!", "to ur friends", "to ur lovers", "for you", "to see", "to check", "to watch", "to enjoy", "to share", "Screensaver", "Friendship", "Love", "relations", "stuff", "Romantic", "humour", "New", "Wonderfool", "excite", "Cool", "charming", "Idiot", "Nice", "Bullsh*t", "One", "Funny", "Great", "LoveGangs", "Shaking", "powful", "Joke", "Interesting", "U realy Want this", "searching for true Love", "you care ur friend", "Who is ur Best Friend ", "make ur friend happy", "True Love", "Dont wait for long time", "Free Screen saver", "Friendship Screen saver", "Looking for Friendship", "Need a friend?", "Find a good friend", "Best Friends", "I am For u", "Life for enjoyment", "Nothink to worryy", "Ur My Best Friend ", "Say 'I Like You' To ur friend", "Easy Way to revel ur love", "Wowwwwwwwwwww check it", "Send This to everybody u like", "Enjoy Romantic life", "Let's Dance and forget pains", "war Againest Loneliness", "How sweet this Screen saver", "Let's Laugh ", "One Way to Love", "Learn How To Love", "Are you looking for Love", "love speaks from the heart", "Enjoy friendship", "Shake it baby", "Shake ur friends", "One Hackers Love", "Origin of Friendship", "The world of lovers", "The world of Friendship", "Check ur friends Circle", "Friendship", "how are you", "U r the person?", "Hi", or "¯"
Message:
The message will be:
<HTML><HEAD></HEAD><BODY>
followed by:
<iframe src=3Dcid:[SomeCID] height=3D0 width=3D0></iframe>
or
[nothing]
This is followed by:
<FONT></FONT>
followed by:
.
.
followed by:
Check the attachment
or See the attachement
or Enjoy the attachement
or More details attached
followed by:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
or
This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its recipients.
This is a permanent error. The following address(es) failed:[Infected User's e-mail Address]
For further assistance, please contact < postmaster@[URL of recipient] >
If you do so, please include this problem report. You can
delete your own text from the message returned below.
Copy of your message, including all the headers is attached
NOTE: In this case, the e-mail message will appear to be from the mailer-daemon@[URL of recpient], also the e-mail attachment will be an eml file that will contain the worm as an attachment.
or
Hi
Check the Attachement ..
See u
or
Hi
Check the Attachement ..
or
Attached one Gift for u..
or
wOW CHECK THIS
followed by:
<Infected Computer's Username>
----- Original Message -----
From: "Random string from above]" < [Random string from above]@[URL constructed above] >
To: < [Infected User's e-mail Address] >
Sent: [Infection date and time]
Subject: [Subject constructed above]
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************
Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from
www.[URL constructed above] to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.
* To remove yourself from this mailing list, point your browser to:
http://[URL constructed above]/remove?freescreensaver
* Enter your email address ([infected user's e-mail address]) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "REMOVE" in the subject line.
This message was sent to address [infected user's e-mail address]
X-PMG-Recipient: [Infected Username]
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
The message closes with:
</BODY></HTML>
Attachment
The attachment name is constructed from the following file names:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love
followed by:
.doc
.mp3
.xls
.wav
.txt
.jpg
.gif
.dat
.bmp
.htm
.mpg
.mdb
.zip
with one of the following extensions:
.pif
.bat
.scr
The worm uses its own SMTP Engine. It attempts to use the infected computer's default SMTP server to send mail. If it cannot find that information, then it uses one of many SMTP server addresses that are hardcoded into the worm.
NOTE: None of the above mass-mailing characteristics could be reproduced in the lab environment.
That is the most important stuff, make sure your up to date and backed up,
SkaZZy
