Yaha computer worms resurfaces as Yaha-Q
By Alun Williams
Posted on 11 Mar 2003 at 12:40
Another variant of the Yaha worm has been spotted in the wild - Yaha-Q.
A twist in the tail of this latest worm is that it drops a 'logic bomb' on a Wednesday. On this day, W32/Yaha-Q will carry out four operations: change the IE homepage to point at www.indiansnakes.cjb.net, append a link to the same Web site in various HTML files, attempt to spread to network shares and create a randomly named text file in the Windows directory. This file will contain one of a number of garbled, anti-Pakistani messages.
The worm is hard to spot as it can have a very large selection of subject lines and body copy. The sender listed in 'From' field is no guide, either, as the email may also be spoofed, i.e. it is not necessarily from the specified sender. Sophos reports that W32/Yaha-Q copies itself to the files exeloader.exe and mstask32.exe in the Windows system folder.
Graham Cluley, Senior Technology Consultant at Sophos, told us that Yaha and its various manifestations were the creation of a group of Indian hackers. The juvenile agenda of this group apparently includes an anti-Pakistan sentiment, with Pakistani hackers being a particular target.
Yaha and its various clones have a long history. It first emerged in January 2000 in the guise of a Valentine-related screen saver. According to Cluley, the Yaha-E and -K variants are the most prevalent and are still doing the rounds. The worm has even provoked a counterblast, 'Yaha Sucks', he told us. This was apparently created by a female hacker, 'gigabyte', who gets a name check in this latest Yaha variant.
You can find out more info from the Sophos Web site, and obtain a virus identity file (IDE) for use with its Anti-Virus Software.
On the tail of Yaha-Q, as it were, is the W32/Deloder-A. This network worm and backdoor Trojan is spreading slowly since it emerged at the weekend. The password-guessing worm attempts to logon to other computers on the local network copies a backdoor Trojan component, inst.exe, to Windows startup folders.
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
