Yarner | |
---|---|
Type | Worm |
Creator | |
Date Discovered | 19-FEB-2002 |
Place of Origin | Germany |
Source Language | Delphi |
Platform | Microsoft Windows |
File Types | .exe |
Infection Length | 437,760 bytes |
Reported Costs |
Yarner is a mass-mailing email worm that disguises itself as the antivirus product YAW and was probably an attempt to defame a popular malware news site.
Behavior
Yarner arrives in an email with a sender line "webmaster@trojaner-info.de", a subject line of Trojaner-Info Newsletter and an attachment of yawsetup.exe. There is a chance the sender may be the email address of a previously infected user. The message body is the following:
![]() |
|
Yarner's icon |
Hallo !
Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de.
Hier die Themen im Ueberblick:
01. YAW 2.0 - Unser Dialerwarner in neuer Version
$************************************
01. YAW 2.0 - Unser Dialerwarner in neuer Version
Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist
nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere
Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter.
Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen
steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak
unter andreas@ants-online.de zur Verf
gung. Viel Spaß
mit YAW!
<http://www.trojaner-info.de/dialer/yaw.shtml>
************************************
Das war die heutige Ausgabe mit den aktuellsten Trojaner-Info News. Wir
bedanken uns fuer eure Aufmerksamkeit und wuenschen allen Lesern noch eine
angenehme Woche.
Mit freundlichem Gruss
Thomas Tietz & Andreas Ebert
<http://www.trojaner-info.de>
$************************************
Anzahl der Subscriber: 5.966
'Durchschnittliche Besuchzahl/Tag: 4.488
Diese Mail ist kein Spam ! Diesen Newsletter hast du erhalten, da du in unserer
Verteilerliste aufgenommen wurdest. Solltest du unseren Newsletter nicht selber
abonniert haben, sondern eine andere Person ohne dein Wissen, kannst du
diesen auf unseren Seiten wieder abbestellen. Oder sende uns einfach eine
entsprechende E-Mail.
************************************
The Yarner worm |
---|
Translation:
Hello !
Welcome to the latest issue of the newsletter of the website Trojaner-Info.de .
Here are the topics in the overview:
01. YAW 2.0 - Our dialer alert in a new version
01. YAW 2.0 - Our dialer alert in a new version
Many have it and many like it - our dialer alert YAW. YAW is
now available in a brand new and greatly expanded version. All our
Newsletter readers receive it free of charge together with this newsletter.
So just start the attached file and install YAW 2.0. For questions
is the programmer of the so far unique program Andreas Haak available to you
under andreas@ants-online.de for the Verf
needs. Have a lot of fun!
with YAW!
<http://www.trojaner-info.de/dialer/yaw.shtml>
That was today's issue with the latest Trojan-Info news. We
we would like to thank you for your attention and wish all readers another
a pleasant week.
With kind regards
Thomas Tietz & Andreas Ebert
<http://www.trojaner-info.de >
Number of subscribers: 5,966
'Average number of visitors/day: 4,488
This email is not spam ! You have received this newsletter because you are in our
The distribution list has been added. If you should not receive our newsletter yourself
but another person without your knowledge, you can
unsubscribe this on our pages again. Or just send us a
corresponding e-mail.
When the worm is run, it copies itself to the Windows directory under a random name and a .exe extension. It modifies the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce with this file as a value so it runs the next time the system is started. It also copies itself as NOTEPAD.EXE to the Windows folder and moves the original to NOTEDPAD.EXE.
It searches files with the extensions *.PHP, *.HTM, *.SHTM, *.CGI, and *.PL as well as the Outlook address book for email addresses. It then gets SMTP server name from the Internet Account Manager data in the Registry and sends itself to all email addresses it finds. It creates the files KERNEI32.DAA and KERNEI32.DAS where it stores email addresses and SMTP server names.
There is a one in ten chance after each time performing the email routine that it will delete all files on the hard drive.
Variants
There are seven known variants of Yarner, which are about the same size and functionality of the original.
Effects
Trojaner-info.de released a statement denying their involvement in creating and spreading the worm. Thomas Tietz and Andreas Ebert of Trojaner-info.de said it looked as if the worm's author was a subscriber to their newsletter, but that the email text was not in their writing style. They also noted some similarities to the Anset worm and suggested it might be a variant. They also suggested it was created as a part of an assassination campaign against them and their site, as the same thing happened with Anset where an innocent man, Andreas Haak, was framed as the creator. It gained a foothold in Europe and it had spread to Korea by morning of 20-Feb-2002.
Sources
F-Secure Antivirus, Yarner. 19-FEB-2002
Thomas Tietz, Andreas Ebert. Trojaner-Info, Virenwarnung ! - Trojaner-Info.de verschickt kein "YAW 2.0".
Dong-A Ilbo, 하드디스크 파일 모두 삭제 '야너 웝 바이러스' 경보.
Frank Patalong. Spiegel Online, "Yarner" - angebliche Virenwarnung ist ein Virus. 19-FEB-2002