I'm forwarding this direct to you all, not to worry you but to make
you aware. Please though, no on-list discussions. Any comments please
email me direct, after you have checked details with your particular
AV supplier and the 2 references below.
Thanks,
David
Admin.
----- Original Message -----
From: "John A Hansen"
Sent: Thursday, January 02, 2003 3:10 PM
Subject: [LO] Yaha Virus increasing
Dear All:
This is another bad one. Be sure to update your AV database
software ASAP. For most people it merely means hitting the
live update button.
You can read some more about it at :
www.sarc.com
www.mcfee.com
Norton ( Sarc) has a nice write up on how to remove.
SARC only shows a level 2 at this point, but several AV
monitors are showing much wider distribution than normal.
Best Regards
John A Hansen
January 2, 2003
Return of the Yaha Worm
By Ryan Naraine
E-mail security firms are warning that a variant of the Yaha.M
mass-mailing virus
is again circulating, urging administrators to
block attachments ending with ".scr," ".exe" and
".com" at the
firewall level to keep the worm at bay.
MessageLabs slapped a "High Risk" rating on the new
Yaha.M-mm worm,
which was discovered over the holidays and has been wreaking
havoc on e-mail around the world. To date, MessageLabs has
intercepted 36,033 copies of the virus in more than 100 countries.
McAfee has also upped its rating on the new Yaha variant, which
propagates via
e-mail using its own built-in SMTP engine. The worm
terminates specific processes if they are running (AV/security
related), and contains code to deliver a denial-of-service attack
against a remote machine (the target is hard-coded within the worm),
the company warned.
McAfee warned that the virus is capable of terminating the virus
scan programs
before any scanning/removal can be done and
recommended that infected users use the Stinger removal tool to
disinfect systems.
In an advisory, anti-virus firm F-Secure also upgraded the new
worm -- dubbed
Yaha.K -- and warned that the worm looks for e-mail
addresses in Windows Address Book, cache folders of .NET and MSN
messengers and in Yahoo Messenger profile folders. The company said
the worm then sends itself to all e-mail addresses and composes
several different types of e-mails with different those messages,
subjects, bodies and attachment names.
F-Secure noted that the worm can change the default Internet
Explorer startup page
to point to one of several sites owned by
hacking
groups. Yaha.K also tries to create a denial-of-service attack on
the infopak.gov.pk Web site.
To disinfect a system, F-Secure said three worm files must be
deleted and a
registry fix applied
==============================
To join
Ancestry.com and access our 1.2 billion online genealogy
records, go to: