[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "WinServices" = "%WinSysDir%\WinServices.exe"


 [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
 "WinServices" = "%WinSysDir%\WinServices.exe"

 [HKCR\exefile\shell\open\command]
 @ = "%WinSysDir%\nav32_loader.exe "%1"%*"

The %WinSysDir% represents the Windows System directory path and name, which may vary depending on the operating system and installation choices.

These Yaha variants continually refresh the registry keys and dropped files in the event of their being modified or deleted. They also kill various security and software processes, possibly rendering them incapable of adequately defending the system or updating properly. The processes targeted are:

_AVP32, _AVPCC, _AVPM, ACKWIN32, ALERTSVC, ALERTSVC, AMON.EXE, ANTIVIR, ATRACK, AVCONSOL, AVP.EXE, AVP32, AVPCC.EXE, AVPM.EXE, AVSYNMGR, CFINET, CFINET32, ESAFE.EXE, F-AGNT95, F-PROT95, FP-WIN, FRW.EXE, F-STOPW, IAMAPP, IAMSERV.EXE, ICMON, IOMON98, LOCKDOWN2000, LOCKDOWNADVANCED, LUALL, LUCOMSERVER, MCAFEE, N32SCANW, NAVAPSVC, NAVAPSVC, NAVAPW32, NAVAPW32, NAVLU32, NAVLU32, NAVRUNR, NAVRUNR, NAVW32, NAVW32, NAVWNT, NISSERV, NISUM, NMAIN, NOD32, NORTON, NPSSVC, NRESQ32, NSCHED32, NSCHED32, NSCHEDNT, NSPLUGIN, NVC95, PCCIOMON, PCCMAIN, PCCWIN98, PCCWIN98, PCFWALLICON, POP3TRAP, PVIEW, PVIEW95, REGEDIT, RESCUE32, RMVTRJANSAFEWEB, SCAN32, SWEEP95, SYMPROXYSVC, TDS2-98, TDS2-NT, VET95, VETTRAY, VETTRAY, VSECOMR, VSHWIN32, VSHWIN32, VSSTAT, WEBSCANX, WEBTRAP, and ZONEALARM.

The Yaha variants send themselves using email addresses found in the Windows address book, Yahoo Messenger profile folders, and cached NET and MSN messengerThe worm looks for e-mail addresses in Windows Address Book, NET and MSN messengers cache folders, and Yahoo Messenger profile folders. The default Internet startup page (homepage) may also be changed to point to one of the following:

http://geocities.com/snak33y3s
http://www.ankitfadia.com
http://www.blacksun.box.sk
http://www.coderz.net
http://www.hackers.com/html/neohaven.html
http://www.hackersclub.up.to
http://www.hirosh.tk
http://www.hrvg.tk
http://www.neworder.box.sk
http://www.unixhideout.com

The worm is able to automatically run simply by reading or, in some cases, previewing the email message containing the infected attachment. This is made possible by a security vulnerability in Microsoft products. In addition to the actions described above, the worm attempts to launch a denial of service attack against a Pakistani government website and - according to antivirus vendor Sophos - has the following payloads:

• March 25th and May 22nd - displays a message box with the text "Happy Birthday Dear" and swaps the operation of the mouse buttons.
• Any Thursday - changes the attributes of files and folders in My Documents to hidden and creates a text file named aYerHS.txt on the desktop. The text file can contain any one of several messages noteable only for their poor grammar and bad language.