W32/Yaha.E worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Yaha.E Worm

Information about the W32/Yaha.E worm:

W32/Yaha.E is an email worm. This worm infects Windows systems. It spreads using the email addresses present in the Microsoft Windows address book, MSN Messenger list, Yahoo pager list, ICQ list and files with extensions containing the characters ht.

The worm arrives with a subject, which is a combination of words randomly chosen by it from the following list:

Ur My Best Friend	The world of lovers
you care ur friend	Cool
searching for true Love	The world of Friendship
Who is ur Best Friend	Great
make ur friend happy	One
True Love	Funny
war Againest Loneliness	Shaking
Wowwwwwwwwwww check it	powful
Enjoy Romantic life	for you
Send This to everybody u like	to see
Let's Dance and forget pains	to check
One Hackers Love	to watch
Shake it baby,	to enjoy
Nothink to worryy	excite
Say 'I Like You'	to share
Easy Way to revel ur love	to ur lovers
How sweet this Screen saver	LoveGangs
Enjoy friendship	charming
Shake ur friends	Idiot
Learn How To Love	Bullshit
Best Friends	Nice
Friendship Screen saver	Joke
To ur friend	Love
Let's Laugh	Interesting
Find a good friend	Friendship
One Way to Love	stuff to ur friends
Are you looking for Love	Wonderfool
Free Screen saver	U r the person?
Need a friend?	New
Hi U realy Want this Romantic humour	I am For u
Life for enjoyment	Circle Friendship
Dont wait for long time	how are you
Looking for Friendship	relations
love speaks from the heart	Origin of Friendship

The content of the mail is a combination of the messages in Set 1 and Set 2:

Set 1:

"Hi dear
Check the attach
See u"

"Hi
Check the Attachment ..
See u"

"Attached one Gift for u.."

"wOW CHECK THIS"

"Check the attachment"

"See the attachement"

"Enjoy the attachement"

"More details attached"

Set 2:

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from <web address> to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

* To remove yourself from this mailing list, point your browser to: <web address>
* Enter your email address (<sender's address>) in the field provided and click "Unsubscribe".

OR...!

* Reply to this message with the word "REMOVE" in the subject line.

This message was sent to address <sender's address>
X-PMG-Recipient: <sender's address>
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

The mail contains an attachment with a random filename. The attached file may have either a double or single extension . The first extension of the attachment can be DOC, MP3, XLS, WAV, JPG, GIF, DAT, BMP, HTM, MPG, MDB or ZIP. The second extension can be PIF, BAT or SCR.

Upon execution, the worm displays any one of the following text messages.

I like U very much!!!
Ur My Best Friend!!
True Love never ends
U r so cute today #!#!
U r My Best Friend
No Configuration is availabile Now

The worm copies itself to the Recycle Bin as a file with a randomly generated name of four characters. It sets the file attributes to hidden. It modifies the registry to execute itself whenever an EXE file is executed in the infected computer. The worm modifies registry at the following location

Hkey_Classes_Root\exefile\shell\open\command

A text file is created in the Windows folder with a random filename and the following content.

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

iNDian sNakes pResents yAha.E

iNDian hACkers,Vxers c0me & w0Rk wITh uS & fUCk tHE GFORCE-pAK shites

sNAkeeYes,c0Bra

<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>

The worm has a payload, which deletes files of some security software.

This worm first appeared on 19th June 2002..

Other names of W32/Yaha.E worm:

This worm is also known as I-Worm/Yaha.E, W32.Yaha.E. I-Worm-Lentin.g.

Removing W32/Yaha.E worm from your computer:

You can remove this virus from your computer by using Protector Plus antivirus software

Click here to download a 30 day Evaluation Copy of
Protector Plus for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Yaha.E worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus Antivirus software