Yahasux
YahaSux
Type Mass-mailer worm
Creator Gigabyte
Date Discovered 2003.01.13
Place of Origin Belgium
Source Language C++
Platform MS Windows
File Type(s) .scr
Infection Length 32,768 bytes

YahaSux, also known as Sahay is a mass mailer worm with viral capabilities that attempts to delete certain variants of the Yaha worm. It was coded by Belgian virus/worm coder Gigabyte and was never released into the wild. It stands as an example of some possibly beneficial use for self-replicating code.

Behavior

YahaSux arrives in an email with a subject line of "Fw: Sit back and be surprised.. ". The body reads:

  Think of a number between 1 and 52. 
  Say it out loud, and keep repeating while you read on. 
  Think of the name of someone you know (of the opposite sex). 
  Now count which place in the alphabet, the second letter of that name has. 
  Add that number to the number you were thinking of. 
  Say the number out loud 3 times. 
  Now count which place in the alphabet the first letter of your first name has, and
  substract that number from the one you just had. 
  Say it out loud 3 times. 
  Now sit back, watch the attached slide show, and be surprised..

The attachment is a screensaver named MathMagic.scr.

When executed, it searches for the Yaha executable nav32_loader.exe in the system folder as well as its own MathMagic.scr. If these files are not found, it copies itself as winstart.exe to the system folder.

It attempts to kill the process WinServices.exe or WINSER~1.EXE, both of which belong to the Yaha.K worm. It removes Yaha.K's executable from the registry key that causes it to start before any .exe file is run and restores that key to its original values. It also deletes Yaha.K's executable from the WinServices subkey of the registry key that causes it to run whenever Windows starts. It adds itself to this key by placing the value "Default = (system directory)\winstart.exe" in it.

YahaSux will create the file yahasux.exe in the system folder and the mIRC Download folder. This is actually a copy of the file mprexe.exe, which allows a computer to use multiple network protocols and adapters. It may copy this file and continue appending it multiple times until the disk is full.

It deletes the following files from the system directory:

YahaSuxMessage.gif
A message from Gigabyte
  • Be_Happy.scr
  • Best_Friend.scr
  • colour_of_life.scr
  • dance.scr
  • Friend_Finder.exe
  • Friend_Happy.scr
  • friendship.scr
  • friendship_funny.scr
  • funny.scr
  • GC_Messenger.exe
  • hotmail_hack.exe
  • I_Like_You.scr
  • life.scr
  • love.scr
  • nav32_loader.exe
  • shake.scr
  • Sweet.scr
  • True_Love.scr
  • WinServices.exe
  • world_of_friendship.scr

It sets the Internet Explorer homepage to http://127.0.0.1/.

YahaSux prepends itself to all .exe files in the mIRC and mIRC\download folder under Program Files. If it finds no MathMagic.scr file at the root of the C: drive, it will drop one there. It also drops its mass mailing component, yahasux.vbs, and executes it. It will mail YahaSux to all email addresses in the Outlook Address Book.

It shuts the computer down after 40 seconds. When the worm restarts with the computer, it deletes the file tcpsvs32.exe, another file associate with Yaha.K. It then displays a message explaining the infection.

Background

YahaSux was coded by Gigabyte in retaliation for Yaha.K, a variant of Yaha that turns the Internet Explorer home page to Coderz.net, the site where Gigabyte's own pages are located. This could have potentially overloaded the server of Coderz.net.

Name

YahaSux is named by its creator because she hated a particular variant of Yaha and its creator. Most antivirus companies call it Sahay, "Yaha" backwards with the first letter in Sux. This is probably because "Sux" implies oral sex and antivirus naming standards prohibit obscene names.

Antivirus Aliases

  • BitDefender: Win32.Sahay.B@mm
  • Doctor Web: Win32.HLLM.Sahay.2
  • Kaspersky: Email-Worm.Win32.Sahay.b
  • McAfee: W32/Sahay.worm
  • Symantec: W32.Sahay.A@mm
  • Trend Micro: PE_SAHAY.A

Other Facts

Yaha.Q contains a message in its code to Gigabyte about YahaSux: "to gigabyte: chEErS pAL, kEEp uP tHe g00d w0rK..buT W32.HLLP.YahaSux is.. lolz ;)". This message is not visible in the email or in any displayed message when the worm infects a computer, but it can be viewed when the worm is opened with a binary editor.

YahaSux is part of a class of viruses and worms called Nematodes, which attack malicious viruses and worms. These kinds of viruses and worms have a history going back to the first self-replicating programs, Creeper and Reaper, the latter being designed to attack the former. The first IBM-compatible virus, Brain was attacked by Denzuko. In 1989, a Macintosh virus named Anti.A was created to delete Anti.B, although strangely, Anti.B did not appear until a year later. In early 1999, a macro by the name of Ethan attempted to delete the macro Class. In late summer of 2001 All3gro attacked Sircam, Badtrans and Prettypark. Sasser and Netsky were two families of nematodes created to destroy Mydoom and Beagle, which resulted in what amounted to a war between factions of nematodes and malicious worms.

Sources

Scott Mollencamp. CA, Win32.Sahay.A. 2003.01.15-19

Mary Landesman. Antivirus, About.com, "Sahay Worm: Giga takes byte out of Yaha worm.".

Perantivirus.com, "Sahay".

McAfee Antivirus, W32/Sahay.worm.

Dialogue Science, "Win32.HLLM.Sahay".

The Age, Female virus writer creates new worm. 2003.01.14

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License