Menu
New worm on its way through the network

New worm on its way through the network

The most annoying virus to date, the Klez.H worm, has a new worm called Yaha.E, which has become even more sophisticated in infecting and disguising computer systems.

The manufacturers of security software are currently informing the Internet community about this particularly clever virus, which is just beginning to spread on the Internet. It also spreads as an email attachment. However, it is able to generate a wide variety of subject lines, which makes identification difficult. Since the worm is integrated as a service in Windows, it cannot be identified in the task manager. Once activated, it copies itself to the trash folder on C: with a file name that it chooses at random. It then disguises itself as a screen saver and searches for virus scanners on the infected system, which it then simply deactivates. Because it has its own protocol for sending e-mails, it is independent of any installed e-mail programs. But that's not all. So the Yaha.E also manipulates the registry. There he enters himself in such a way that every time an executable file with the extension .exe is started, he himself is started beforehand. Deleting this entry is unsuccessful, however, because the virus checks every time it is started whether the registry still contains the entry and updates it if necessary.

It can spread through a security hole in Internet Explorer 5.0 and 5.5. There is a bug in its render engine, which many e-mail programs use to display HTML e-mails, which the virus exploits. Although a patch for this vulnerability is already available, not many users seem to have installed it. In order to spread further, the worm also searches all relevant files on the infected system for e-mail addresses andis automatically sent to these people without the user noticing anything. Last but not least, some good news. All of the major virus scanner manufacturers have already adapted their virus signatures so that the risk of spreading is low with appropriately protected systems.

The patch can be found here .

Comments