Registry-locking worm in the wild

By Matt Whipp

Posted on 10 Dec 2003 at 16:01

Sophos has alerted users to a new variant of the Yaha virus strain that tries to lock the Registry to prevent itself being disabled.

The worm masquerades as an email with a variety of subjects and messages, some purporting to be a fix for the Blaster viruses. The attachments are either zip or com file extensions - a bid to sneak past antivirus software that may not scan such file formats by default.

Once activated, the worm copies itself to the system folder and startup folders found on local and network drives. It also harvests email addresses from the local system and sends itself on to them.

In addition, it makes a number of Registry edits so that it is run at start up and whenever .exe, .bat, .com, or .scr files are opened. It also monitors the system and continually tries to shut down certain antivirus processes if found and will reset the changes it has made to the Registry if an attempt is made to alter or delete them.

Finally, the virus disable Regedit.exe so that the Registry editing toold are unavailable.

Sophos says it has already received a number of reports of the worm in the wild. Users should update their antivirus software as soon as possible.

More information can be found at the Sophos website.