[Hinweis] Wurm Yaha schießt Antiviren-Programme ab

[Brummelchen]

Aus einem anderen Board:

Wurm Yaha schießt Antiviren-Programme ab

--------------------------------------------------------------------------------

Die Antiviren-Hersteller warnen derzeit vor einer neuen Variante des Mail-Wurms Yaha, der sich rasant im Internet ausbreitet. Der Wurm trägt den Namen "W32/ Yaha.k" und war erstmals kurz vor Weihnachten aufgetaucht. Mit dem neuen Jahr hat seine Verbreitung zugenommen, so dass beispielsweise Mcafee das Gefahrenpotential von zunächst "Low" auf "Medium" hochstufte.

Der Wurm verbreitet sich per ".exe"- oder ".scr"-Datei im Anhang in einer Mail und nutzt unzählige Betreff-Titel und Mail-Texte. Unter anderem tragen Mails, die den Wurm enthalten, die Betreffzeilen "Are you the BEST", "Wanna be Friends?", "Free Demo Game" oder "XXX Screensavers 4 U".

Sobald Yaha auf die Festplatte gelangt ist, setzt er sich gleich mehrmals unter anderem mit den Dateinamen "NAV32_LOADER.EXE", "TCPSVS32.EXE" und "WINSERVICES.EXE" im Systemverzeichnis von Windows (\Windows\System) fest. Über einen Eintrag in der Registry sorgt Yaha dafür, dass er bei jedem Systemstart aktiviert wird.

Yaha besitzt einen eigenen SMTP-Teil mit dessen Hilfe er sich munter per Mails weiterverbreitet und dabei die Absenderadresse fälscht.

Tückisch: Ist Yaha erst einmal gestartet, dann sorgt er dafür, dass er von gängigen Antiviren-Software nicht erkannt werden kann, in dem er diese Programme einfach "abschießt", also beendet. Außerdem werden unter anderem auch verschiedene Firewall- und System- Programme von ihm beendet.

Wer sich den Wurm eingefangen hat, dem dürfte es schwer fallen, ihn wieder loszuwerden. Jeder Scan- Versuch wird von dem Wurm beendet. Als Gegenmittel bietet beispielsweise Mcafee eine aktualisierte Version seines Wurm-Entfernungs-Tools "Stinger" an.

Der "McAfee Avert Stinger" erkennt und beseitigt neben dem Yaha auch andere Würmer wie beispielsweise Klez, Bugbear und Elkern. Der Download beträgt knapp 630 Kilobyte.

http://vil.nai.com/vil/stinger/

Stinger erkennt folgende Viren/Trojaner:
- Bugbear
- Elkern
- Klez
- Yaha


Aus Central Command:

VIRUS ADVISORY ISSUED BY CENTRALCOMMAND
on December 30, 2002
for Worm/Yaha.M

VIRUS ADVISORY The Central Command Emergency Virus Response Teamâ„¢ (EVRTâ„¢) has received virus infection reports for the new Internet Worm/Yaha.M. Due to increased customer inquires and infection reports the EVRT is issuing a VIRUS ADVISORY.

Help us defeat viruses, forward this newsletter to your friends.

You are receiving this news letter because you are a subscriber to the Central Command Virus News mailing list.

[ EVRTâ„¢ Virus advisory issued for Worm/Yaha.M ]

Complete description can be read online by clicking here

Details:

Name: Worm/Yaha.M
Alias: W32/Yaha-M
Type: Internet Worm
Discovered: December 21, 2002
Size: 34.304KB

Description:

Worm/Yaha.M is is a modification of Worm/Yaha.A (Valentine.scr), an Internet worm that spread by retrieving e-mail addresses from the Windows Address Book, as well as, from addresses found in cached webpages(HTM, HTML and HTA files). Unlike other variants of Yaha, this variant does not show the funny screens the previous versions displayed.

If executed, the worm copies itself in the \windows\%system% directory under the filenames:

- tcpsvs32.exe
- nav32_loader.exe
- WinServices.exe
- winloader32.dll

So that it gets run each time a user restart their computer the following registry keys get added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

and

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"WinServices"="C:\\WINDOWS\\SYSTEM\\WinServices.exe"

Additionally, the following key gets added:

- HKEY_CLASSES_ROOT\exefile\shell\open\command
@="\"%1\" %*"
@="\"C:\\WINDOWS\\SYSTEM\\nav32_loader.exe\"\"%1\"%*"

Worm/Yaha.M was originally received as "hotmail_hack.exe".

[ Vexira Antivirus Solutions ]

- Vexira Antivirus for Home
- Vexira Antivirus Corporate Edition
- Vexira Antivirus for Windows Server
- Vexira Antivirus for Linux Server
- Vexira Antivirus for Linux Workstation
- Vexira Antivirus for FreeBSD
- Vexira Antivirus for OpenBSD
- Vexira MailArmor for Sendmail
- Vexira MailArmor for Sendmail + Milter
- Vexira MailArmor for Qmail
- Vexira MailArmor for Postfix
- Vexira MailArmor for SuSE
- Vexira MailArmor for Exim

More information: http://www.centralcommand.com

[ Subscription information ]

Central Command, Inc. respects your online privacy. You at anytime can easily remove your e-mail address from the Central Command mailing list by entering in your e-mail address at the following web page: http://www.centralcommand.com/unsubscribe.html

You will receive a confirmation message about your successful removal from News

[ Legal Notice and Disclaimer ]

THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.

Disclaimer of warranties and limitation of liability

This information is provided by Central Command, Inc. on an "AS IS" and "AS AVAILABLE" basis. Central Command, Inc. makes no representations or warranties of any kind, express or implied, as to the information, content, materials, or products included, or mentioned within this information bulletin. You expressly agree that your use of this information is at your sole risk. The user assumes the entire risk as to the accuracy and the use of this document.

To the full extent permissible by applicable law, Central Command, Inc. disclaims all warranties, express or implied, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose and freedom from infringement. Central Command, Inc. does not warrant that this information is accurate. Central Command, Inc. will not be liable for any damages of any kind arising from the use of this information, including, but not limited to direct, indirect, incidental, punitive, and consequential damages.

Certain state laws do not allow limitations on implied warranties or the exclusion or limitation of certain damages. if these laws apply to you, some or all of the above disclaimers, exclusions, or limitations may not apply to you, and you might have additional rights.

[ Copyrights and Trademarks ]

Central Command, PerfectSupport, EVRT, Emergency Virus Response Team, Virus Protection for the Real World, Without us, there's no defense. are trademarks of Central Command Inc. All other trademarks, trade name and product names are property of their respective owners. Copyright © 2000, 2001, 2002 Central Command Inc. All rights reserved.

[god2000]

hab das tool durchlaufen lassen. nichts gefunden :-))