| Yaha.J, K, or L? | ||||||||||||
| New variant confuses antivirus vendors, users | ||||||||||||
What's in a name? Apparently, if you are a virus, not enough. Several new variants of the Yaha worm were discovered simultaneously in late December and it seems antivirus vendors have not been able to agree upon their names. Typically, each new variant of a particular virus is prepended with consecutive alphabetic identifiers. For example, Yaha.A would be the original virus name and subsequent variants would carry monikers such as Yaha.B, Yaha.C, etc. The problems begin when antivirus vendors can't agree upon a consistent name and users have no easy way to discern whether the virus their vendor says they are protected from is truly detectable by that particular vendor. In other words, what one vendor refers to as Yaha.J may be another vendor's Yaha.L. In an effort to clear up confusion, but perhaps muddying the waters even more, managed service provider MessageLabs began prepending a further identifier to their names of the variants. Using a special 4-digit hex-code generated internally, MessageLabs renamed their original Yaha.J, Yaha.K, and Yaha.L to W32/Yaha.J!2c3b, W32/Yaha.J!f871, and W32/Yaha.J!5fd9, respectively. Added to this mix is a variant discovered December 22, 2002, dubbed Yaha.M by antivirus vendors, which MessageLabs is now calling Yaha.K or W32/Yaha.K!e2a2 and a later variant, discovered December 31st, that other vendors are referring to as Yaha.L - in essence backing up a letter rather than going forward. Compounding the confusion is the fact that some vendors do not even refer to the virus as Yaha, prefering instead to name it Lentin or Yerh. Whatever they're called, these newest variants of Yaha could just be a ticking time bomb in corporate mailboxes, setting off a rash of infections as holiday vacationers return to work. Indeed, despite the slower holiday weeks, the December 22nd variant of Yaha managed to make its way to the number two spot on the MessageLabs ThreatList in less than a week, and was in the number one spot for many continents according to Trend Micro's World Tracking Center. Trend and MessageLabs refer to this variant as W32/Yaha.K!e2a2 and Yaha.K, respectively. As with previous versions of Yaha, such as Yaha.E,, the worm terminates the processes of security vendor software. Because Yaha variants can also take advantage of an old vulnerability with Microsoft products which can allow the email attachment to execute automatically, new threats such as these variants can quickly disable antivirus software, making updates for protection incapable of running, and leaving systems infected and vulnerable to more threats. Additionally, filtering for the worm based on the content of its email message is virutally impossible, due to the large number and combination of subject lines and message bodies the worm can use. Also like Yaha.E, Yaha.K-M can make removal difficult, refreshing the registry keys and worm files each time a user attempts to delete them. In addition to making removal difficult and disabling of system security software, the worm launches a DoS (Denial of Service) attack against a Pakistani government website. Next page > The Yaha Email > Page 1, 2, 3, 4, 5, 6
|
||||||||||||
Explore Antivirus Software
Must Reads
More from About.com
Work Hard, Travel Easy
The best tips for business travelers.Dog Care
Get tips on training and caring for dogs of all ages.48 Hours in Vegas
Plan a hot weekend in Sin City.Hotel Advice
The must-stay hotels worldwide.
©2008 About.com, a part of The New York Times Company.
All rights reserved.