RE: Virus? Trojan?

• Previous message: Rogelio Vidaurri Courcelle: "Hacked web server"
• In reply to: James C Slora Jr: "RE: Virus? Trojan?"
• Next in thread: James C. Slora Jr.: "Re: Virus? Trojan?"
• Reply: James C. Slora Jr.: "Re: Virus? Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 13 Jan 2003 12:39:18 +1300
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
To: 'Incidents List' <incidents@securityfocus.com>

"James C Slora Jr" <Jim.Slora@phra.com> wrote:

> > So far today, I've received two email messages from
> > kbl-zrz2519.zeelandnet.nl [62.238.233.233]
>
> > which, apparently, claimed in its HELO message to *be*
> > our local MX (which of course was who it was talking TO).
> > Sounds to me like a bug in the sending software.
>
> > The other thing these messages had in common was a
> > 33KB .scr ("screen saver") executable attachment.
> > Norton doesn't recognize this as a known threat, but
> > I don't want to be the first to learn the hard way what
> > it does.
>
> I've gotten 4 more Yaha-M-infected messages from this same source today. I

I think that is unlikely, as they are infected with Yaha.K. However,
as you did not identify the scanner that told you Yaha.M, I'll grant
that you may just be repeating incorrect information given you by
your scanner. A week or so back these were the unique names reported
among products representing some 20-odd different scan engines:

  1 Lentin.H
  1 I-Worm.Lentin.i
  1 Lentin.K
  1 HLLM.Yaha.1
  3 I-Worm/Yaha.K
  5 Yaha.K
  1 Yaha-K
  1 Yahaa.K
  1 Worm/Yaha.M
  1 Yaha.N
  1 WORM_YAHA.K

To ease the comparison, I removed any standard platform indicating
precursors (such as "W32" or "Win32") and all standard or otherwise
modifiers (such as "@mm" and ".Worm") after any standard sub-variant
name part. Further simplifying, by removing non-standard name
components before the family name (e.g. "I-Worm", "WORM_") and
accepting non-standard delimiters (e.g. "-" instead of "." for the
sub-variant delimiter) we get:

  1 Lentin.H
  1 Lentin.i
  1 Lentin.K
  1 Yaha.1
 10 Yaha.K
  1 Yahaa.K
  1 Yaha.M
  1 Yaha.N

And, assuming that "Yahaa" was a typo on the part of ... (well, it
doesn't really matter), we get:

  1 Lentin.H
  1 Lentin.i
  1 Lentin.K
  1 Yaha.1
 11 Yaha.K
  1 Yaha.M
  1 Yaha.N

So, I guess it's easy to see where the naming confusion could come
from. This was not helped by the fact that MessageLabs listed Yaha.K
as Yaha.M for a while. It is now listed there as W32/Yaha.K!e2a2
(note MessageLabs' use of the new "!" name modifier indicating the
"!" and everything to its right is not officially part of the name).

> received a few at around the same time you did, starting December 31 when
> Yaha-M had not yet been listed. The sender must have one of the first
> infected computers. They may be a member of this list or someone who visits
> the list archives.

The problem here is that that machine has been infected with Yaha.K
and not Yaha.M -- at least, I am still receiving, and have only
received, Yaha.K messages from that machine. The latest one I
received had a Date: header (created by the virus) of:

   Date: Fri,10 Jan 2003 13:23:41 PM

Yaha.K was discovered before Christmas, and although that machine
seemed to start spewing out Yaha Email as Yaha.M was first being
reported, it is not infected with Yaha.M but with Yaha.K as a simple
anaylsis of the file attached to its Email shows.

I agree that the sender may be on this list or a frequenter of the
archives. If you are reading this and are a cable (the "kbl" of
"kbl-zrz2519.zeelandnet.nl" is, at a guess a contraction of the Dutch
for "cable")customer of zeelandnet.nl, please head to one of the AV
sites for a description of Yaha.K (or one of the names above!) and
find out how to fix it and then do something about getting protected
so as to reduce the likelihood of becoming infected again.

> Since the infections are still coming I've notified the administrator of
> zeelandnet.nl - hopefully they will hunt the user down and help them clear
> the infection.

So have I -- the problem is they decided the best action was to
prevent that IP accessing their mail server:

   Thanks for the message.

   The user is blocked for outgoing e-mail to block this virus.

As they don't really say how or what they have blocked, and the
messages keep coming, I guess they have blocked access to their own
mail servers, which the virus will not try to use except when it
tries to send itself to an address for which a zeelandnet.nl mail
server is the mail-exchanger (AFAICT, Yaha.K's SMTP engine tries to
resolve MX records in the DNS then sends its mail directly to that
SMTP server rather than relying on any "local" SMTP servers to relay
for it).

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Tibor Biro: "Re: Hacked web server"
• Previous message: Rogelio Vidaurri Courcelle: "Hacked web server"
• In reply to: James C Slora Jr: "RE: Virus? Trojan?"
• Next in thread: James C. Slora Jr.: "Re: Virus? Trojan?"
• Reply: James C. Slora Jr.: "Re: Virus? Trojan?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]