Is Yarner a Yawner? - Page 2

 By Jim Freund
Page 2 of 2   |  Back to Page 1
Print Article

As is typical with e-mail-borne Trojans, the worm uses MAPI to send itself to addresses found in Microsoft Outlook or in .php, .htm, .shtm, .cgi, or .pl files.

Two more files are created in the main Windows directory: KERNEL32.DAA and KERNEL32.DAS. These store server and address information that is used by the virus itself.

At random, the virus will attempt to delete all files on the drive with Windows installed.

Restore files:

  • Locate NOTEDPAD.EXE, and rename the file back to NOTEPAD.EXE
  • Locate KERNEL32.DAA and KERNEL32.DAS and delete them
Edit the Registry:

As always, be aware that changes to the Registry are dangerous. We strongly advise that you back it up before proceeding with any manual registry changes.
Run regedit, click on Registry, and select "Export Registry File". Choose a safe location and a memorable filename and save the file.
  • In regedit, navigate to:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
  • In the right pane, look for a value that contains random characters and take note of what they are.
  • Delete that value and close regedit
  • Search for a filename using those random characters and an .EXE extension, and delete it.

Your precautionary steps should be the same as always: Make sure your anti-virus software is up-to-date with the latest identity signatures and patches. Alter Windows, Outlook, and Outlook Express' default behavior so as not to launch files automatically. Educate your users about e-mail attachments. (For more discussion on that topic, see Dealing With Network Security Scofflaws.)

Jim Freund is the Managing Editor of CrossNodes.

This article was originally published on Feb 21, 2002
Get the Latest Scoop with Networking Update Newsletter