- Sep 25, 2000
- 22,135
- 5
- 61
A destructive new mass-mailing Internet worm has been launched into the wild in the form of a Trojan horse targeting the security-conscious.
The worm, which has been named "Yarner" by virus researchers, apparently got its start in a fraudulent e-mail sent sometime Monday to fans of Trojaner-Info.de, a German site specializing in information about malicious code.
The bogus message, written in German, purports to be a newsletter from Trojaner-Info announcing a new release of an actual anti-Trojan program hosted at Trojaner-Info called Yet Another Warner (YAW). The message's subject line is "Trojaner-Info Newsletter."
The real YAW program is designed to protect users against malicious dialer programs that attempt to stealthily connect victim's computers to expensive "900 number" services. The program is still in version 1.0 and should be downloaded directly from the Trojaner-Info site, said the program's author, Andreas Haak.
The booby-trapped yawsetup.exe attached to the bogus e-mail is actually designed to mail copies of itself to addresses in the victim's Microsoft Outlook address book. The worm may also delete all files on the victim's hard disk.
Information on the YARNER worm can be found at:
http://www.sarc.com/avcenter/venc/data/w32.yarner.a@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99365&
The worm sends itself to emails addresses found in the Microsoft Outlook address book and local files.
The worm uses the system configured or hard coded SMTP server to send messages with the subject Trojaner-Info Newsletter followed by the current date. The message body is in German and the attachment name is yawsetup.exe.
This has the potential to be a very dangerous worm.
W32/Yarner renames notepad.exe in the Windows directory to notedpad.exe and copies itself to notepad.exe. It creates a randomly named file with an .EXE extension in the Windows directory and changes the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Runonce\
so that the worm file runs on Windows startup.
After a period of running on the system, the worm executes its destructive payload and attempts to delete all files from the hard drive.
Most major Anti-virus manufacturers have updated their definition files to detect and remove this virus.
The worm, which has been named "Yarner" by virus researchers, apparently got its start in a fraudulent e-mail sent sometime Monday to fans of Trojaner-Info.de, a German site specializing in information about malicious code.
The bogus message, written in German, purports to be a newsletter from Trojaner-Info announcing a new release of an actual anti-Trojan program hosted at Trojaner-Info called Yet Another Warner (YAW). The message's subject line is "Trojaner-Info Newsletter."
The real YAW program is designed to protect users against malicious dialer programs that attempt to stealthily connect victim's computers to expensive "900 number" services. The program is still in version 1.0 and should be downloaded directly from the Trojaner-Info site, said the program's author, Andreas Haak.
The booby-trapped yawsetup.exe attached to the bogus e-mail is actually designed to mail copies of itself to addresses in the victim's Microsoft Outlook address book. The worm may also delete all files on the victim's hard disk.
Information on the YARNER worm can be found at:
http://www.sarc.com/avcenter/venc/data/w32.yarner.a@mm.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99365&
The worm sends itself to emails addresses found in the Microsoft Outlook address book and local files.
The worm uses the system configured or hard coded SMTP server to send messages with the subject Trojaner-Info Newsletter followed by the current date. The message body is in German and the attachment name is yawsetup.exe.
This has the potential to be a very dangerous worm.
W32/Yarner renames notepad.exe in the Windows directory to notedpad.exe and copies itself to notepad.exe. It creates a randomly named file with an .EXE extension in the Windows directory and changes the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Runonce\
so that the worm file runs on Windows startup.
After a period of running on the system, the worm executes its destructive payload and attempts to delete all files from the hard drive.
Most major Anti-virus manufacturers have updated their definition files to detect and remove this virus.
Facebook
Twitter