Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software
See More About:
Yaha.E Worm
Stubborn infector makes removal a chore
 Related Resources
• Virus Encyclopedia
• Glossary of terms
 
 Elsewhere on the Web
• F-Secure Description
• MessageLabs Threatlist
 

Discovered on June 20, 2002, the Yaha.E worm, a.k.a. Lentin, quickly closed in on the heels of the Klez.H and Klez.E worms, claiming the number three spot on the MessageLabs ThreatList as of June 27, 2002. Yaha.E is a mass-mailing email worm featuring a complex composition routine comprised of over 40 subject line choices or a combination of dozens of others. This makes identification or filtering by subject line a challenge. According to F-Secure, Yaha can also select from a range of other criteria in order to compose its message body. Upon infection, the worm modifies the registry, constantly checking and refreshing the key to ensure that it runs each time an EXE program is started. This constant checking and refreshing makes manually removing the worm extremely difficult. Additionally, Yaha.E searches for and terminates the processes of several antivirus and security programs, as well as competing viruses Sircam and Klez.

The Yaha.E message body can contain a variety of text strings referring to the attached file, including: "Check the attachment", "See the attachement", "Enjoy the attachement", "More details attached", "Attached one Gift for u.." and "wOW CHECK THIS". The message may appear to be a FW: message, using a fake sender in for the From address and the infected users email address for the To address. The FW: message may appear as either a fake undeliverable message report or a fake screensaver subscription message.

Subject line can be composed from any of the following: Or from 2 or more of the following: Using fake forwarding addresses in the body: With attachment names selected from: Terminating these processes
searching for true Love
you care ur friend
Who is ur Best Friend
make ur friend happy
True Love
Dont wait for long time
Free Screen saver
Friendship Screen saver
Looking for Friendship
Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worryy
Ur My Best Friend
Say 'I Like You' To ur friend
Easy Way to revel ur love
Wowwwwwwwwwww check it
Send This to everybody u like
Enjoy Romantic life
Let's Dance and forget pains
war Againest Loneliness
How sweet this Screen saver
Let's Laugh
One Way to Love
Learn How To Love
Are you looking for Love
love speaks from the heart
Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship
Check ur friends Circle
Friendship
how are you
U r the person?
U realy Want this 		Romantic
humour
NewWonderfool
excite
Cool
charming
Idiot
Nice
Bullsh*t
One
Funny
Great
LoveGangs
Shaking
powful
Joke
Interesting

Screensaver
Friendship
Love
relations
stuff

to ur friends
to ur lovers
for you
to see
to check
to watch
to enjoy
to share

:-)
!
!! 		screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullshitscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
f*cker 		loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love

The first extension can be:

doc
mp3
xls
wav
txt
jpg
gif
dat
bmp
htm
mpg
mdb
zip

The last (true) extension can be:

pif
bat
scr 		PCCIOMON
PCCMAIN
POP3TRAP
WEBTRAP
AVCONSOL
AVSYNMGR
VSHWIN32
VSSTAT
NAVAPW32
NAVW32
NMAIN
LUALL
LUCOMSERVER
IAMAPP
ATRACK
NISSERV
RESCUE32
SYMPROXYSVC
NISUM
NAVAPSVC
NAVLU32
NAVRUNR
NAVWNT
PVIEW95
F-STOPW
F-PROT95
PCCWIN98
IOMON98
FP-WIN
NVC95
NORTON
MCAFEE
ANTIVIR
WEBSCANX
SAFEWEB
ICMON
CFINET
CFINET32
AVP.EXE
LOCKDOWN2000
AVP32
ZONEALARM
WINK
SIRC32
SCAM32

Removing the Yaha.E worm
Because the Yaha.E worm constantly refreshes the EXE file startup key in the system registry and kills the Task Manager windows under Windows NT, manual removal is not a viable solution. Fortunately, antivirus developer F-Secure provides a special disinfection tool to clean infected computers from the Yaha.E worm. The tool is called YahaTool and it can be downloaded from their ftp site:

ftp://ftp.europe.f-secure.com/anti-virus/tools/yahatool.zip

F-Secure also provides easy to follow step-by-step instructions for the tool (also included with the tool itself):

ftp://ftp.europe.f-secure.com/anti-virus/tools/yahatool.txt

For those who've managed to disinfect the worm but are experiencing difficulty launching EXE files due to the left over registry edit, F-Secure provides a special tool for that as well:

ftp://ftp.europe.f-secure.com/anti-virus/tools/yaha_fix.reg

Subscribe to the Newsletter
Name
 Email

Explore Antivirus Software
About.com Special Features

Holiday Central

What to eat, where to go, fun things to do and how to save money on the perfect gifts. More >

Family Tech Center

Stay connected and entertained with reviews on tips on the latest HDTVs, cellphones and more. More >

Antivirus Software
  1. Home
  2. Computing & Technology
  3. Antivirus Software

©2009 About.com, a part of The New York Times Company.

All rights reserved.