menubar
menubar
VIRUS UPDATE : YAHA
Yaha
Klez
YAHA

25 June 2002

In addition to Klez, there's currently another worm/virus that's rapidly spreading, especially in the Netherlands, called W32/Yaha.

This worm/virus has similar characteristics to Klez - it also spreads itself via e-mail and uses the so called Windows MIME-bug.


What does the Yaha worm do?

The Yaha worm/virus is activated when the attachment of an infected e-mail is opened. Windows users that do not have the necessary Microsoft patch installed can also be infected if the preview option in their e-mail programme is switched on. In this case, the worm/virus will be activated immediately, even though the attachment hasn't been opened.

After infection, the worm/virus sends outgoing e-mail with an attachment to addresses found in Microsoft Windows, MSN Messenger, Yahoo pager and ICQ. It also searches for addresses in files that begin with the extention .ht, such as .htm and .html.

Yaha differs to the Klez worm/virus in a number of important ways:

1. Yaha uses the correct sender address. This is in contrast with Klez which uses arbitrary sender addresses. Because of this, many internet users are wrongly accused for sending viruses.

2. Yaha can hide itself within a mail-delivery-failure message. Similar warning messages are sent from postmaster addresses as replies on infected mails that originate from your computer. In the case of a Yaha infection a similar message can be misleading.

3. Yaha sends out a continuous stream of infected e-mails, therefore using the full capacity of your outgoing internet connection. This is in contrast to Klez, which sends a certain amount of e-mails each time.

With a dial-up connection of 56K, Yaha sends 2 to 3 e-mails per minute.
With Basic ADSL it can send 20 to 30 e-mails per minute.


How do I recognise the Yaha worm?

E-mail with the Yaha worm/virus may contain an attachment which pretends to be a Windows screensaver. Please not that this is not always true and infected attachments can appear as other types of documents, or the e-mail may not appear to have an attach. An infected computer displays a quivering desktop and banners with text such as 'Ur My Best Friend!'.

You can find more information about the Yaha worm/virus at:

http://europe.f-secure.com/v-descs/yaha_e.shtml
http://vil.mcafee.com/dispVirus.asp?virus_k=99528
http://www.sophos.com/virusinfo/analyses/w32yahae.html
http://www.virusalert.nl/?show=virus&id=289&PHPSESSID=7ac597d58204dbd88641ca40bc48d83a


How do I remove the Yaha worm?

Take care that you have good anti-virus software installed on your computer and keep it up to date at all times. Windows users should also install the necessary patches from Microsoft. Be cautious when opening attachments: if in doubt, don't open it!

If your computer is infected with Yaha, you can remove the worm/virus by either using one of the special tools available through the links below, or by the proper use of anti-virus software in general. You can find out more information, as well as the tools themselves, at the following locations:

http://www.bitdefender.com/html/free_tools.php
http://europe.f-secure.com/v-descs/yaha_e.shtml
http://vil.mcafee.com/dispVirus.asp?virus_k=99528
http://www.sophos.com/virusinfo/analyses/w32yahae.html

when come back, bring pie!

KLEZ

19 June 2002

XS4ALL is continuing to see a rise in the number of reported infections of the Klez worm/virus. This is in spite of the fact that solutions and cures have been available for some time. Some of the more recent variations of this worm will actively seek out anti-virus software and libraries and attempt to deactivate them from an infected system. The entire family of Klez worm variations has now become the number one spreading computer worm of this type. XS4ALL has also noticed this increase affecting their own customers and have had to take a number of steps to help reduce the spreading infections. If a customers’s system cannot be cured of Klez in a timely manner, XS4ALL may temporarily suspend the client’s account until such time as they have taken effective action to remove the virus.


What does the Klez worm do?

The Klez worm/virus typically spreads through an infected e-mail message. The full name of the worm is W32/Klez@MM.

After a system becomes infected, the worm will send outgoing e-mail to addresses found in the Outlook addressbook, as well as to addresses found in the infected system’s web browser cache. The worm will also use these discovered addresses as the sending address (“From”) in the outgoing infected message.

An explanation of the klez worm can be found here:

http://www.sophos.com/virusinfo/analyses/w32klezh.html
http://vil.nai.com/vil/content/v_99455.htm


How can I recognize the Klez worm?

Unfortunately, the Klez has so many variations that it can be difficult to recognize it easily. However, there are a number of items you can look for that may help you detect if a message is Klez infected (Note: these are not always true for all variations).

E-mail that is Klez infected always has an attachment. Unfortunately, older and non-patched versions of Microsoft Outlook may open this attachment without user intervention. Customers who use Outlook are advised to keep “preview mode” disabled as a simple precaution against this method of infection.

There are also a few clues to be found in the e-mail headers of infected messages:
1) Upon close inspection, multiple “From” lines may be spotted. In a Klez infected mail when observing full headers, these From lines will probably be different from one another (ie, one may say From: jsmit@foo.com whilst the other says From: f.naar@bar.org). See the helpdesk pages for more information about full headers. (in Dutch)
2) In the received line, which indicates the computers that handled the email, the name of the computer that is sending out Klez will have a nonsense name, such as Lqhblk, Vhg, Uaoqi and so forth.


How do I remove the Klez virus?

There is no substitute for being prepared. Take care to install a good anti-virus application and make sure you keep the libraries up to date at all times. The Klez worm is currently known to have 9 variations, thus, if you have not updated your libraries for more than a few weeks, you are still at a risk for infection. And as always with attachments: If in doubt, do not open!

Caution: The worm makes use of the so-called “Incorrect MIME header” bug present in Microsoft Windows. Microsoft has a patch available that will solve this problem. This patch will not cure a Klez infection, but will prevent future worms/viruses from infecting your system in this manner.

If your comptuer has been infected with Klez, you can remove the virus by either using one of the special tools available through the links below, or by the proper use of anti-virus software in general. You can find out more information, as well as the tools themselves, at the following locations:

http://europe.f-secure.com/v-descs/klez.shtml
http://vil.mcafee.com/dispVirus.asp?virus_k=99367
http://www.sophos.com/support/faqs/klezh.html
http://www.viruslist.com/eng/viruslist.html?id=4292

You can find more information about this, and other viruses, at the XS4ALL FAQ:
http://www.xs4all.nl/helpdesk/mail/virus_faq.html

XS4ALL customers may obtain the most recent version of the Anti-Virus application McAfee for free by downloading it from the Self Service Centre
Note: XS4ALL distributes a special corporate version of McAfee that has a lower version number than the commercially available package; however, the XS4ALL distributed version is fully compatible with the latest virus library updates, which are necessary to correctly solve a Klez infection.

You can find other virus scanners at:

http://www.europe.f-secure.com/
http://www.symantec.com/


E-mail warning you of a Klez infection

If your computer is infected with Klez, you may receive a warning from XS4ALL informing you of this fact. If this warning is not observed, XS4ALL may eventually, and temporarily, suspend your account’s access to the Internet. This emergency precaution is necessary to prevent your computer from adding to the rapid spread of this worm to other Internet users in general.

Please contact the Customer Service department if you have this problem and to have your account re-enabled.

when come back, bring pie!