[ISN] Yaha Worm Spreads Beyond Middle East

From: InfoSec News (isnat_private)
Date: Thu Jan 02 2003 - 08:00:25 PST

  • Next message: InfoSec News: "Re: [ISN] ComputracePlus deletes stolen data"

    http://www.eweek.com/article2/0,3959,803276,00.asp
    
    By Dennis Fisher
    December 31, 2002 
    
    A new variant of the Yaha worm, discovered last week in several Middle 
    Eastern countries, has begun spreading more rapidly and widely, 
    anti-virus experts say. 
    
    Yaha.K is a mass-mailing worm and propagates through e-mail, using its 
    own built-in SMTP engine. It can also retrieve addresses from Yahoo 
    Messenger, MSN Messenger and .Net Messenger Service directories. The 
    worm also is designed to launch a denial-of-service attack against a 
    target server in Pakistan. 
    
    The worm appears in victims' mailboxes with any one of dozens of 
    subject lines. The "From" addresses on both the envelope and the 
    message header are forged and the message also carries an attachment 
    with a randomly generated name. 
    
    The worm appears to have originated in the Middle East, and 
    MessageLabs Ltd., a British MSP that tracks viruses, said it first saw 
    copies in Kuwait. Network Associates Inc.'s McAfee Security anti-virus 
    site lists the worm as a medium risk because of its increased 
    prevalence in recent days. 
    
    Yaha.K is also capable of disabling various anti-virus products, 
    personal firewalls and other security-related processes on infected 
    machines, according to a McAfee Security advisory. 
    
    Anti-virus companies first began seeing the worm about 10 days ago, 
    but it had been confined mostly to the Middle East and a few European 
    companies. However, within the last day or so, it has begun spreading 
    more widely. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:49:24 PST