Re: "Yay" Malware

[RL Vaughn <Randy_Vaughn () BAYLOR EDU>]

Indeed the file, C:\WINDOWS\SYSTEM32\usb.exe, has been pinned as the culprit.
Reports are it overwrites binaries critical to IM, tray applications, and,
apparently, the binaries of processes active at the time of infection including
some AV.  The binary is UPX packed.  The infection vector has not yet been
determined to my knowledge.

Scott's reinstall or reimage option suggestion seems realistic rather than
paranoid.  On that point, and other previous postings, does anyone have a
ballpark guesstimate of how much it costs to repair a single machine after such
an infection?

Scott Fendley wrote:
> Heya Tim et al,
>
> Thankfully we have not seen it on our campus as of yet.  However, I do
> know from communication with the Internet Storm Center that a sample has
> been sent to all of the major antivirus venders earlier in the day.  I
> would expect that definitions will be out for the initial variation of
> this malware soon.
>
> After determining the attack vector/infection technique,  I would
> typically reinstall or reimage the computer.  I may be a little
> paranoid, but I really don't like not knowing positively what the state
> of security really is after a compromise of this nature.
>
>
> It would be great if any determination could be made as to what the
> infection vector might have been.  Email, IM, website download?   From
> the reports I have seen it seems the file that appears to be part of the
> 1st stage infection is C:\WINDOWS\SYSTEM32\usb.exe.
>
> Hopefully I will have more details in the morning that I can share.
>
> Scott
>
> At 07:25 PM 1/11/2007, Tim Lane wrote:
> > > Hi All,
> > >
> > > has anyone seen (for want of a better term) the Yay Malware.  We are
> > > seeing a small window with the word "yay" in it appear on the desktop
> > > with a lot of outgoing traffic.  A search on Google cites quite a few
> > > people seeing this in the last 24 hours but no resolution.
> > >
> > > We have tried to remove it with:
> > >
> > > Symantec AV
> > > Adaware
> > > Spybot S&D
> > > Defender
> > > XoftSpySE
> > > MSRT
> > >
> > > Seems like it may be very new and the AV vendors have not caught on
> > > yet....
> > >
> > > If anyone has seen it and mitigated it I would be interested to hear.
> > >
> > > Thanks,
> > >
> > > Tim
> >
> >
> > Tim Lane
> > Information Security Program Manager
> >
> > Information Technology and Telecommunication Services
> > Southern Cross University
> > PO Box 157 Lismore NSW 2480
> >
> > (02 6620 3290   7             02 6620 3033   - tlane () scu edu au
> > 8 <http://www.scu.edu.au>http://www.scu.edu.au