Is Yarner a Yawner? - Page 2
As is typical with e-mail-borne Trojans, the worm uses MAPI to send itself to addresses found in Microsoft Outlook or in .php, .htm, .shtm, .cgi, or .pl files.
Two more files are created in the main Windows directory: KERNEL32.DAA and KERNEL32.DAS. These store server and address information that is used by the virus itself.
At random, the virus will attempt to delete all files on the drive with Windows installed.
- Locate NOTEDPAD.EXE, and rename the file back to NOTEPAD.EXE
- Locate KERNEL32.DAA and KERNEL32.DAS and delete them
As always, be aware that changes to the Registry are dangerous. We strongly advise that you back it up before proceeding with any manual registry changes.
Run regedit, click on Registry, and select "Export Registry File". Choose a safe location and a memorable filename and save the file.
- In regedit, navigate to:
- In the right pane, look for a value that contains random characters and take note of what they are.
- Delete that value and close regedit
- Search for a filename using those random characters and an .EXE extension, and delete it.
Your precautionary steps should be the same as always: Make sure your anti-virus software is up-to-date with the latest identity signatures and patches. Alter Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically. Educate your users about e-mail attachments. (For more discussion on that topic, see Dealing With Network Security Scofflaws.)