Re: "Yay" Malware

[Scott Fendley <scottf () UARK EDU>]

Heya Tim et al,

Thankfully we have not seen it on our campus as of yet.  However, I
do know from communication with the Internet Storm Center that a
sample has been sent to all of the major antivirus venders earlier in
the day.  I would expect that definitions will be out for the initial
variation of this malware soon.

After determining the attack vector/infection technique,  I would
typically reinstall or reimage the computer.  I may be a little
paranoid, but I really don't like not knowing positively what the
state of security really is after a compromise of this nature.


It would be great if any determination could be made as to what the
infection vector might have been.  Email, IM, website
download?   From the reports I have seen it seems the file that
appears to be part of the 1st stage infection is C:\WINDOWS\SYSTEM32\usb.exe.

Hopefully I will have more details in the morning that I can share.

Scott

At 07:25 PM 1/11/2007, Tim Lane wrote:
> > Hi All,
> >
> > has anyone seen (for want of a better term) the Yay Malware.  We
> > are seeing a small window with the word "yay" in it appear on the
> > desktop with a lot of outgoing traffic.  A search on Google cites
> > quite a few people seeing this in the last 24 hours but no resolution.
> >
> > We have tried to remove it with:
> >
> > Symantec AV
> > Adaware
> > Spybot S&D
> > Defender
> > XoftSpySE
> > MSRT
> >
> > Seems like it may be very new and the AV vendors have not caught on yet....
> >
> > If anyone has seen it and mitigated it I would be interested to hear.
> >
> > Thanks,
> >
> > Tim
>
>
> Tim Lane
> Information Security Program Manager
>
> Information Technology and Telecommunication Services
> Southern Cross University
> PO Box 157 Lismore NSW 2480
>
> (02 6620 3290   7             02 6620 3033   - tlane () scu edu au
> 8 <http://www.scu.edu.au>http://www.scu.edu.au