Dangerous Yarner worm spells bad news
Tue Feb 19,10:43 PM ET
By Robert Vamosi, ZDNet News

A dangerous worm from Germany is loose on the Internet.

Yarner (w32.yarner.a@mm) appears to be a newsletter about Trojan horses from a legitimate security site, but is actually a dangerous worm. Yarner is a Windows PE EXE file about 434K in size, written in Delphi. It uses its own e-mail engine to send copies of itself to others. Once executed, the worm deletes the Windows directory on infected computers.

At present, the infections are limited to Germany, however, a new variation could be produced in English or any other language. Because of the dangerous potential of this worm, Yarner ranks a 7 on the ZDNet Virus Meter.

How it works

Yarner arrives by e-mail and appears to be from Trojaner-Info [webmaster@trojaner-info.de]. This is a real address and is not the true origin of this e-mail. The subject of the infected e-mail reads "Trojaner-Info Newsletter [Current Date]" The body text is in German and appears to be a newsletter which translates into English as:
                           "Hello!
                           Welcome to the latest newsletter from
Trojaner-Info.de
                           Content:
                           1. YAW 2.0 - the latest version of our
porn-dialer warner
                           ****
                           1. YAW 2.0 - Our porn-dialer warner in its latest
version.
                           Our widely used Dialerwarner YAW is now available
in a brand new
                           and enhanced version. All subscribers to our
newsletter get this
                           version for free with this newsletter.
                           Just start the attached file and YAW 2.0 installs
itself.

 If there are any questions the programmer of this
unique tool is
                           available at [...]
                           Have fun with YAW!
                           http://www.trojaner-info.de/dialer/yaw.shtml
                           ****
                           That's it with the latest Trojaner-Info news,
thank you for your
                           attention and we wish all our readers a pleasant
week."
The attached file with this e-mail is yawsetup.exe.

If executed, Yarner will copy itself to the Windows directory as notedpad.exe, overwriting the system's original Notepad application (notepad.exe). Whenever you launch Notepad, Yarner uses notedpad.exe to hide its presence. The worm adds two additional files: kerneI32.daa (which the worm uses to write e-mails) and kerneI32.das (which the worm uses to write known SMTP).

The worm then changes this registry file:

       HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce[random
characters] = [random
       characters].exe

  There can be up to 100 random characters assigned to these values.

  To send e-mail, Yarner gains access to the Microsoft Outlook address book
then scans all .php, .htm,
  .shtm, .cgi, .pl files in all subdirectories, looking for additional
e-mail addresses. Yarner then uses its own
  SMTP engine (e-mail program) to send e-mails and connects to its own list
of servers, including:

       216.113.14.106
       joy-go.gr.jp
       ctripserver.ctrip.com.cn
       202.101.62.207
       cocess.cocess.co.kr
       mail.bizpoint.com.sg
       ns2.webshock.co.kr
       olympus.mda.com.tr
       linux2.ele-china.com
       mailsvr.hanace.co.kr

  After it has sent copies of itself, Yarner then deletes all files in the
Windows directory.

Prevention

Users of Microsoft Outlook 2002 and users of Outlook 2000 who have installed the Security Update should be safe from opening the attached file with Yarner. Users who have not upgraded to Outlook 2002 or who have not installed the Security Update for Outlook 2000 should do so. In general, do not open attached files in e-mail without first saving them to hard disk and scanning them with updated antivirus software. Contact your antivirus vendor to obtain the most current antivirus signature files that include Yarner.

Removal

Almost all the antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, F-Secure, Kaspersky,McAfee, Norman, Sophos, Symantec, and Trend Micro.

Back To The Study