Nick FitzGerald wrote Sunday, January 12, 2003 6:39 PM > Yaha.K was discovered before Christmas, and although that machine > seemed to start spewing out Yaha Email as Yaha.M was first being > reported, it is not infected with Yaha.M but with Yaha.K as a simple > anaylsis of the file attached to its Email shows. Thanks for the correction. I looked at headers and message text, and I stripped the attachments without analyzing them. Headers and message body options are AFAICT the same between K and M and match no other other circulating worms, based on Trend Micro and Symantec descriptions. My original determination that the infection was M rather than K was based on David Gillett's assertion that Norton (unspecified product) did not detect a worm in the message at a time when definitions detecting K were already available. When the new messages arrived, they were apparently more of the same and I reported them as such. For notification purposes I believe that this admittedly imprecise analysis was adequate, despite my incorrect conclusion. For the sake of absolute correctness I should not have specified the infection as Yaha-M when I had never performed a positive binary analysis of the attachment - I should have just said maybe "apparently one of the newer varieties of the Yaha family of worms, based on message headers and text". > I agree that the sender may be on this list or a frequenter of the > archives. If you are reading this and are a cable (the "kbl" of > "kbl-zrz2519.zeelandnet.nl" is, at a guess a contraction of the Dutch > for "cable")customer of zeelandnet.nl, please head to one of the AV > sites for a description of Yaha.K (or one of the names above!) and > find out how to fix it and then do something about getting protected > so as to reduce the likelihood of becoming infected again. > > Since the infections are still coming I've notified the administrator of > > zeelandnet.nl - hopefully they will hunt the user down and help them clear > > the infection. > > So have I -- the problem is they decided the best action was to > prevent that IP accessing their mail server: > > Thanks for the message. > > The user is blocked for outgoing e-mail to block this virus. > > As they don't really say how or what they have blocked, and the > messages keep coming, I guess they have blocked access to their own > mail servers, which the virus will not try to use except when it > tries to send itself to an address for which a zeelandnet.nl mail > server is the mail-exchanger (AFAICT, Yaha.K's SMTP engine tries to > resolve MX records in the DNS then sends its mail directly to that > SMTP server rather than relying on any "local" SMTP servers to relay > for it). Thanks for sharing their response. I have not received anything from zeelandnet.nl administrators beyond the initial automated response. I have also not received any more infected messages from the offender since submitting the notification (which of course doesn't prove anything). ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jan 12 2003 - 22:05:52 PST