Yaha
Yaha
Type Email worm
Creator Hirosh
Date Discovered 2002.02.15
Place of Origin Kerala, India
Source Language C++
Platform MS Windows
File Type(s) .exe, .scr
Infection Length
Reported Costs $11.5 billion

Yaha is a worm with many variants, all based on the original worm, but with some different features added to later versions. Some variants of the worm were created (and possibly continue to be created) in a cyber-war between hackers of India and Pakistan.

Behavior

Yaha in action

Yaha arrives in an email with the following characteristics:

  • Subject: Melt the Heart of your Valentine with this beautiful Screen saver
  • Body:
   <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
   This e-mail is never sent unsolicited. If you need to unsubscribe, follow the
   instructions at the bottom of the message.
   ***********************************************************
   Melt the Heart of your loved ones with these beautiful Screen saver from 
   www.screensaverin.com
   * To remove yourself from this mailing list, point your browser to: 
   http://screensaverin.com/remove?freescreensaver
   * Enter your email address (%EmailAddress%) in the field provided and click
   "Unsubscribe". OR...
   * Reply to this message with the word "remove" in the subjt line.
   This message was sent to address %EmailAddress%
   X-PMG-Recipient:
   <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
  • Attachment: valentin.scr.
Yahacons.png

The worm may also come in another version of the email that looks like a forwarded version of the above email.

When executed, the worm installs itself to the Recycle bin as the files msmdmn.exe and msscra.exe. It will add msmdmn.exe as a value to a registry key that will cause the worm to run whenever an .exe file is opened. It places the text "Ur My Valentine.." on the screen and resizes windows. It may also display a fake error message:

Config
No Configuration is availabile Now
Enjoy  !!!

The worm searches the Windows Address Book, .html files, MSN and .NET messanger cache files for email addresses. It copies the address book from its original location to the Windows directory as www.dll. Yaha stores the email addresses in two files, both also in the Windows directory, named screendback.dll, which stores addresses collected from the address book and screend.dll, which stores email addresses from cache folders. It checks the registry for an SMTP Server, From Address and Display Name, which will be used when sending itself. If it cannot find any, it will use an SMTP Server, From Address and Display Name from a predefined list contained in the worm.

Name

Yaha is sometimes also known as Lentin or Valentin, referring to its Valentine screensaver.

Antivirus Aliases

  • Avast: Win32:Yaha
  • AVG: I-Worm/Yaha.A
  • BitDefender: Win32.Lentin.A@mm
  • F-PROT: W32/Lentin.A@mm
  • F-Secure: Email-Worm.Win32.Lentin.a
  • Ikarus: Email-Worm.Win32.Lentin.A
  • Kaspersky: Email-Worm.Win32.Lentin.a
  • McAfee: W32/Yaha@MM(Virus)
  • ESET: Win32/Yaha.A
  • Panda: W32/Lentin.A
  • Rising Antivirus: Worm.Valentin
  • Sophos: W32/Yaha-A
  • Symantec: W32.Yaha.A@mm
  • Trend Micro: WORM_YAHA.A

Effects

Several Pakistani government sites, Internet-service providers and the Karachi Stock Exchange were so severely damaged they had to seek help from Western experts to restore and safeguard those sites.

Variants

Yaha has enough variants to go through the alphabet at least once. Nearly all variants starting from Yaha.C are able to run automatically without being downloaded and executed by the user. Many variants terminate antivirus and security-related processes. Yaha.K performs a Denial of Service attack on the site infopak.gov.pk.

Background

Indian and Pakistani crackers had been engaged in a cyber-war against each other, each side defacing the other's websites. Some observers and even a few from amongst the ranks of the hackers claimed that it had nothing to do with politics (though this did take place during the India-Pakistan standoff), but rather it was simply an unrelated war of "cybercrime supremacy".

Many Yaha variants contain messages buried in the worm code that credits the Indian Snakes and the city of Kerala in India. Yaha.B contains the credit "Author : Hirosh", likely the same Hirosh behind an anonymous email-bomber. A few variants launch attacks on Pakistani websites.

Other Facts

Yaha and its variants first started making the Top 10 charts in 2002 April. Starting in July 1 of that year, a Yaha variant was in a position to take the number 1 position on the chart, were it not for the fact that it was consistently shut out by some variant of Klez. Yaha.E finally took the number 1 position, overtaking Klez.H.

One ISP threatened to deny internet service to users infected with Yaha, who did not get their computers fixed quickly.

Yaha.K is destroyed by Gigabyte's worm, Yahasux.

Sources

ESET Antivirus, Win32/Yaha.A. (German)

Kaspersky Lab. SecureList.com, Email-Worm.Win32.Lentin.a. 2002.08.23

John Leyden. The Register, Undead virus infects the dim-witted. 2002.08.23

-. -, Klez tops virus charts – again. 2002.07.01

-. -, Yaha usurps Klez. 2003.07.31

Daily Times Monitor. Daily Times, Indian hackers duel Pakistanis. 2003.08.04

Douglas Knowles. Symaqntec Security Response, W32.Yaha.C@mm.

Sharon Gaudin. EarthWeb IT Management, India/Pakistan Virus Writers Take War Online. 2003.03.13

Ryan Naraine. Internet News, "Return of the Yaha Worm". 2003.01.02

XS4ALL News, "Virus Warning: Yaha & Klez". 2002.06.25 (Archived on the Wayback Machine)

Richard A. Elnicki. University of Florida, Virus, Worm & Spam Costs 1: An Episode at the University of Florida.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License