Yaha Worm Spreads Beyond Middle East

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,803276,00.asp

By Dennis Fisher
December 31, 2002 

A new variant of the Yaha worm, discovered last week in several Middle 
Eastern countries, has begun spreading more rapidly and widely, 
anti-virus experts say. 

Yaha.K is a mass-mailing worm and propagates through e-mail, using its 
own built-in SMTP engine. It can also retrieve addresses from Yahoo 
Messenger, MSN Messenger and .Net Messenger Service directories. The 
worm also is designed to launch a denial-of-service attack against a 
target server in Pakistan. 

The worm appears in victims' mailboxes with any one of dozens of 
subject lines. The "From" addresses on both the envelope and the 
message header are forged and the message also carries an attachment 
with a randomly generated name. 

The worm appears to have originated in the Middle East, and 
MessageLabs Ltd., a British MSP that tracks viruses, said it first saw 
copies in Kuwait. Network Associates Inc.'s McAfee Security anti-virus 
site lists the worm as a medium risk because of its increased 
prevalence in recent days. 

Yaha.K is also capable of disabling various anti-virus products, 
personal firewalls and other security-related processes on infected 
machines, according to a McAfee Security advisory. 

Anti-virus companies first began seeing the worm about 10 days ago, 
but it had been confined mostly to the Middle East and a few European 
companies. However, within the last day or so, it has begun spreading 
more widely. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.