Virus Alert - Yarner: Not Every Anti-Virus Is the Real McCoy
Be careful out there - this one's nasty
There's a new, highly dangerous Internet worm 'Yarner' that disguises itself as the anti-virus program YAW. At this time, there have been reports of mass-infection caused by this malicious program in Germany.
Yarner skilfully hides under the guise of an official message from a German Web site that handles anti-virus security problems.
Yarner spreads via e-mail in attached files. An infected e-mail has the following characteristics:
The sender's address is chosen at random from the following:
* Trojaner-Info [the actual e-mail of the infected computer]
or
* Trojaner-Info [webmaster@trojaner-info.de]
Attachment: YAWSETUP.EXE
Subject: Trojaner-Info Newsletter [infected computer's current date]
Should a user open the attached YAWSETUP.EXE file, and should an active anti-virus not be in use, the worm launches its infecting procedures on the target computer and begins spreading. Firstly, Yarner creates an additional file in the Windows directory with a random name (up to 100 characters) and registers the file in the Windows system registry auto-run key. In this way, the worm is activated upon each system restart.
In order to send itself via e-mail, Yarner obtains access to the MS Outlook address book and scans all .PHP, .HTM, .SHTM, .CGI, .PL files in the Windows directory, and gets e-mail addresses from there. This information is copied to the files KERNEI32.DAA and KERNEI32.DAS. Following this, the worm connects to a remote SMTP server, through which the worm sends its copies. Yarner has exceptionally dangerous and destructive features. In one in ten cases, after having sent its e-mail copies, the worm destroys all data and information on an infected computer.
'Trojaner-Info, supposedly in whose name the infected messages are sent, is a popular German resource for solving anti-virus security problems. This service has no relationship whatsoever to this current epidemic. What is occurring now simply confirms once again that an e-mail address and a message text can be easily falsified, and with the use of this trick, a user has a malicious program thrust upon him or herself,' commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab.
Yet again, then, folks, let us remind you never to open attachments from anyone unless you're absolutely sure they're safe - and make sure you've got an anti-virus program running.
