Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Yaha.K@mm


Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Changes Registry settings
Detection files published 30 Dec 2002 03:00:00
Description created 31 Dec 2002 08:55:00
Description updated 22 Aug 2003 04:43:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



The worm will copy itself to the following directories/names:%WINDOWSSYSTEMDIRECTORY%\nav32_loader.exe%WINDOWSSYSTEMDIRECTORY%\tcpsvs32.exe%WINDOWSSYSTEMDIRECTORY%\WinServices.exeThe worm will then change the Registry key "HKCR\exefile\shell\open\command" so that the worm is run before any .exe files are started. This has the addititonal effect that if the worm is deleted, no *.exe files whatsoever can be run unless the Registry setting is changed before the worm is deleted!Then the worm sets the Run key in the RegistryHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runso that the worm is started during the PC's boot.The worm also adds the following Registry keyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesto point to %WINDOWSYSTEMDIRECTORY%\WinServices.exeThe worm will harvest email addresses from several locations on the infected PC and send itself to those.

Payload Details

The worm changes a Registry setting in such a way that it ensures that it runs itself before any *.exe file. This has the side-effect that if the worm is deleted before the Registry setting is changed, no *.exe file whatsoever will be able to be launched.





Last Updated: 12 Nov 2015 11:06:14