Computer Consultant <[EMAIL PROTECTED]> wrote:From Computer Consultant Sun May 
22 20:57:28 2005
To: computerconsultant <[EMAIL PROTECTED]>
From: Computer Consultant <[EMAIL PROTECTED]>
Date: Sun, 22 May 2005 20:57:28 -0700 (PDT)
Subject: ComputerConsultant German Virus Information

German Virus Information 
A new e-mail virus is circulating. The original virus appears as an attachment 
to a message written in German, which should greatly cut down on the number of 
people at OU who open it by mistake. Still, an English-wrapped version probably 
isn't far off. 
Virus Profile: W32/[EMAIL PROTECTED]    Name:    W32/[EMAIL PROTECTED]  Risk 
Assessment   - Home Users:Low  - Corporate Users:LowDate 
Discovered:2/18/2002Date 
Added:2/19/2002Origin:GermanyLength:437760Type:Internet WormSubType:Win32DAT 
Required:4187Virus Family Statistics (over the past 30 days)Virus NameInfected 
FilesScanned Files% Infected ComputersW32/[EMAIL PROTECTED] Characteristics-- 
Update 2/20/2002 -- 
AVERT has lowered the risk assesment to LOW. 
This is a new worm seen by AVERT researchers in Germany and the UK today, 19 
Feb 2002. 
This worm has its own SMTP e-mailing engine which gets e-mail addresses from 
the Microsoft Outlook address book and .pl, .php, .htm, .shtm, and .cgi files, 
storing them in the file kernei32.daa.

The worm gets the system default SMTP server from a registry key 
   HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\ 
Accounts\SMTP Server 
It stores this and other server details (hardcoded within the worm) in the file 
kernei32.das. 


The worm copies itself to the Windows folder with a randomly selected name, and 
creates registry run key value to load the worm at startup: 
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ 
Runonce
It also replaces notepad.exe and copies the original notepad.exe to 
notedpad.exe. The worm's payload is to delete all not-locked files from drive 
c: 
The virus arrives in an email message with the following information: 
From: (forged) [EMAIL PROTECTED]
Subject: Trojaner-Info Newsletter 18.02.02 (date is updated according to 
infected machine)
Attachment: yawsetup.exe 
The message is formatted as follows (destination email address removed). Note 
that the people and websites mentioned are innocent and not the originators of 
the virus.
 
In full, and translated, this reads:

Hello! Welcome to the latest newsletter from Trojaner-Info.de Content: 1. YAW 
2.0 - the latest version of our porn-dialer warner **** 1. YAW 2.0 - Our 
porn-dialer warner in its latest version. Our widely used Dialerwarner YAW is 
now available in a brand new and enhanced version. Allsubscribers to our 
newsletter get this version for free with this newsletter.Just start the 
attached file and YAW 2.0 installs itself. If there are any questions the 
programmer of this unique tool is available at [...]Have fun with YAW! 
http://www.trojaner-info.de/dialer/yaw.shtml**** That's it with the latest 
Trojaner-Info news, thank you for your attention and we wish all ourreaders a 
pleasant week. 
The rest is standard newsletter headers. Again, the people and websites 
mentioned are not the true originators of the virus. 
At the end of the file is a comment: 
Als kleines Dankeschön von der Pornoindustrie. Das ist nur der Anfang, wenn ihr 
nicht aufhoert. 
Translation of the comment: A little present from the porn-industry. This is 
just the beginning if you don't stop.
Indications of InfectionPresence of the following files in %windir%: 
   NOTEDPAD.EXE 
   KERNEL32.DAA 
   KERNEL32.DAS 

Method of InfectionRunning yawsetup.exe will infect the system.

Removal Instructions
All Users :
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of 
hooking system startup, will be successfully removed if cleaning with the 
recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations 

AliasesI-Worm.Yarner.a (AVP), I-Worm.Yarner.b (AVP), Trojan.Yaw.20 (MkS_vir), 
[EMAIL PROTECTED] (NAV), W32/Yarner (Sophos), W32/[EMAIL PROTECTED] (Norman), 



 





Web!


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

[Non-text portions of this message have been removed]





-- 
www.ITCENTER.or.id - Komunitas Teknologi Informasi Indonesia 
Info, Gabung, Keluar, Mode Kirim : [EMAIL PROTECTED] 
::: Hapus bagian yang tidak perlu (footer, dst) saat reply! ::: 
## Jobs: itcenter.or.id/jobs ## Bursa: itcenter.or.id/bursa ##
$$ Iklan/promosi : www.itcenter.or.id/sponsorship $$

 
Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/ITCENTER/

<*> To unsubscribe from this group, send an email to:
    [EMAIL PROTECTED]

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
 


Kirim email ke