Is Yarner a Yawner?

By Jim Freund | Feb 21, 2002 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/978521/Is-Yarner-a-Yawner.htm

The Virus of the Week (not a designation we want to promote) is Yarner; an e-mail-borne worm that masquerades as Yet Another Warner (YAW), a legitimate German-based anti-virus solution. Of course, this Trojan is a solution that is really part of the problem.

Yarner is considered dangerous due to the damage it can inflict and how well it can propagate. However, several anti-virus specialists, including McAfee and Symantec, deem it a relatively minor threat due to the fact that it has not spread very far -- at least not yet. Several European anti-virus vendors view Yarner more severely, as it appears to be German-based and has done the most damage there. Given its capabilities, being vigilant in guarding against Yarner wherever you may be is merely common-sense.

Characteristics
The e-mail which carries the trojan appears as follows:

Subject: Trojaner-Info Newsletter [Date]
Attachment: yawsetup.exe
Message body:


Hallo ! 

Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de. 

Hier die Themen im Ueberblick: 

1. YAW 2.0 - Unser Dialerwarner in neuer Version 

************************************ 
1. YAW 2.0 - Unser Dialerwarner in neuer Version
Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist 
nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle
unsere Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter. 
Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei 
Fragen steht Ihnen der Programmierer des bislang einzigartigen Programmes 
Andreas Haak unter andreas@ants-online.de zur Verf|gung. Viel Spa_ mit YAW!

<http://www.trojaner-info.de/dialer/yaw.shtml>
************************************ 

Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir 
bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch
eine angenehme Woche. 

Mit freundlichem Gruss 

Thomas Tietz & Andreas Ebert
<http://www.trojaner-info.de>

************************************
Anzahl der Subscriber: 5.966
Durchschnittliche Besuchzahl/Tag: 4.488
Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in 
unserer Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter 
nicht selber abonniert haben, sondern eine andere Person ohne dein Wissen, 
kannst du diesen auf unseren Seiten wieder abbestellen. Oder sende uns 
einfach eine entsprechende E-Mail.
************************************

Payload
Upon launching the executable, the worm renames NOTEPAD.EXE to NOTEDPAD.EXE, and then copies itself as NOTEPAD.EXE. When Notepad is run, the virus will strike and will also run the legitimate (but renamed) version.

Yarner makes another copy of itself in the Windows (or Winnt) directory using random characters and an .EXE extension, while adding a registry entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce\ so that the worm runs upon Windows startup.

As is typical with e-mail-borne Trojans, the worm uses MAPI to send itself to addresses found in Microsoft Outlook or in .php, .htm, .shtm, .cgi, or .pl files.

Two more files are created in the main Windows directory: KERNEL32.DAA and KERNEL32.DAS. These store server and address information that is used by the virus itself.

At random, the virus will attempt to delete all files on the drive with Windows installed.

Eradication
Restore files:

  • Locate NOTEDPAD.EXE, and rename the file back to NOTEPAD.EXE
  • Locate KERNEL32.DAA and KERNEL32.DAS and delete them
Edit the Registry:

As always, be aware that changes to the Registry are dangerous. We strongly advise that you back it up before proceeding with any manual registry changes.
Run regedit, click on Registry, and select "Export Registry File". Choose a safe location and a memorable filename and save the file.
  • In regedit, navigate to:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
  • In the right pane, look for a value that contains random characters and take note of what they are.
  • Delete that value and close regedit
  • Search for a filename using those random characters and an .EXE extension, and delete it.

Prevention
Your precautionary steps should be the same as always: Make sure your anti-virus software is up-to-date with the latest identity signatures and patches. Alter Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically. Educate your users about e-mail attachments. (For more discussion on that topic, see Dealing With Network Security Scofflaws.)

--
Jim Freund is the Managing Editor of CrossNodes.