I'm forwarding this direct to you all, not to worry you but to make you aware. Please though, no on-list discussions. Any comments please email me direct, after you have checked details with your particular AV supplier and the 2 references below. Thanks, David Admin. ----- Original Message ----- From: "John A Hansen" Sent: Thursday, January 02, 2003 3:10 PM Subject: [LO] Yaha Virus increasing > > Dear All: > > This is another bad one. Be sure to update your AV database > software ASAP. For most people it merely means hitting the > live update button. > > You can read some more about it at : > www.sarc.com > www.mcfee.com > Norton ( Sarc) has a nice write up on how to remove. > SARC only shows a level 2 at this point, but several AV > monitors are showing much wider distribution than normal. > > Best Regards > John A Hansen > > January 2, 2003 > Return of the Yaha Worm > By Ryan Naraine > E-mail security firms are warning that a variant of the Yaha.M mass-mailing virus is again circulating, urging administrators to > block attachments ending with ".scr," ".exe" and ".com" at the firewall level to keep the worm at bay. > MessageLabs slapped a "High Risk" rating on the new Yaha.M-mm worm, which was discovered over the holidays and has been wreaking > havoc on e-mail around the world. To date, MessageLabs has intercepted 36,033 copies of the virus in more than 100 countries. > > McAfee has also upped its rating on the new Yaha variant, which propagates via e-mail using its own built-in SMTP engine. The worm > terminates specific processes if they are running (AV/security related), and contains code to deliver a denial-of-service attack > against a remote machine (the target is hard-coded within the worm), the company warned. > > McAfee warned that the virus is capable of terminating the virus scan programs before any scanning/removal can be done and > recommended that infected users use the Stinger removal tool to disinfect systems. > > In an advisory, anti-virus firm F-Secure also upgraded the new worm -- dubbed Yaha.K -- and warned that the worm looks for e-mail > addresses in Windows Address Book, cache folders of .NET and MSN messengers and in Yahoo Messenger profile folders. The company said > the worm then sends itself to all e-mail addresses and composes several different types of e-mails with different those messages, > subjects, bodies and attachment names. > > F-Secure noted that the worm can change the default Internet Explorer startup page to point to one of several sites owned by hacking > groups. Yaha.K also tries to create a denial-of-service attack on the infopak.gov.pk Web site. > > To disinfect a system, F-Secure said three worm files must be deleted and a registry fix applied > ============================== > To join Ancestry.com and access our 1.2 billion online genealogy records, go to: > http://www.ancestry.com/rd/redir.asp?targetid=571&sourceid=1237 >