1. Tech

Your suggestion is on its way!

An email with a link to:


was emailed to:

Thanks for sharing About.com with others!

CyberPunks Wage CyberGang War
Yaha.P/Q brings CyberSnit to users' PCs
 Related Resources
• Yaha.E Worm
• Yaha.J/K/L
• Sahay/YahaSux
• Virus Encyclopedia
• Glossary of terms
 Elsewhere on the Web
• F-Secure Analysis
• Sophos Analysis

Calling it "a waR beTweeN inDia & paK hAckeRS.." and warning that "n0 c0untrY shouLD gEt inVolvEd..", a variant of the Yaha worm launches a denial of service attack against five Pakistani websites, disables antivirus and security software running on infected systems, changes the Internet Explorer start page and creates various text messages on local drives. Two of the text messages are directed to Roger Thompson, Technical Director of Malicious Code Research at TruSecure Corporation and GigaByte, author of the Yahasux worm. The prose dedicated to Thompson ends in something of a whine, complaining that "thE w0rlD pUshEd uS to tHe dArK siDe..cAnT hElp iT.. no reTReaT no suRRenDeR."

Dubbed Yaha.Q by some antivirus vendors and Yaha.P by others, this latest Yaha variant spoofs a large range of sender names and email addresses and includes an equally exhaustive list of possible subject lines and message bodies. A complete listing of these has been prepared by Alexey Podrezov of F-Secure Corp.

"The Indian Snakes gang claims that this is not a political spat, rather a battle to establish cybercrime supremacy," said Chris Wraight, technology consultant at Sophos, Inc. "It's a shame that this dispute between rival cyber criminals is being fought on the PCs of innocent computer users who are largely uninterested in the disagreement. Perhaps these gangs should find another venue that would allow them to get things off their chest without breaking the law."

Because the Yaha variant terminates various processes associated with antivirus and security software, and continually terminates Windows Task Manager, System Configuration Utility, Registry Editor, and Process Viewer, removal can be difficult. The first step is to ensure the on-demand scanner is working and that it includes the latest version of signature definition files. The Eicar Help Center demonstrates how to create a test file that antivirus scanners have been programmed to detect. Assuming the scanner is working properly and that the latest definition files have been applied, scan the system and delete any files detected as being infected with Yaha. Upon completion, a registry fix is required to completely remove Yaha.P/Q from the system. F-Secure provides a free registry fix for this purpose.

Subscribe to the Newsletter

©2016 About.com. All rights reserved.