A dangerous worm from Germany is loose on the Internet.
Yarner (w32.yarner.a@mm) appears to be a newsletter about Trojan horses from a legitimate security site, but is actually a dangerous worm. Yarner is a Windows PE EXE file about 434K in size, written in Delphi. It uses its own e-mail engine to send copies of itself to others. Once executed, the worm deletes the Windows directory on infected computers.
At present, the infections are limited to Germany, however, a new variation could be produced in English or any other language. Because of the dangerous potential of this worm, Yarner ranks a 7 on the ZDNet Virus Meter.
"Hello! Welcome to the latest newsletter from Trojaner-Info.de Content: 1. YAW 2.0 - the latest version of our porn-dialer warner **** 1. YAW 2.0 - Our porn-dialer warner in its latest version. Our widely used Dialerwarner YAW is now available in a brand new and enhanced version. All subscribers to our newsletter get this version for free with this newsletter. Just start the attached file and YAW 2.0 installs itself. If there are any questions the programmer of this unique tool is available at [...] Have fun with YAW! http://www.trojaner-info.de/dialer/yaw.shtml **** That's it with the latest Trojaner-Info news, thank you for your attention and we wish all our readers a pleasant week."The attached file with this e-mail is yawsetup.exe.
If executed, Yarner will copy itself to the Windows directory as notedpad.exe, overwriting the system's original Notepad application (notepad.exe). Whenever you launch Notepad, Yarner uses notedpad.exe to hide its presence. The worm adds two additional files: kerneI32.daa (which the worm uses to write e-mails) and kerneI32.das (which the worm uses to write known SMTP).
The worm then changes this registry file:
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce[random characters] = [random characters].exe There can be up to 100 random characters assigned to these values. To send e-mail, Yarner gains access to the Microsoft Outlook address book then scans all .php, .htm, .shtm, .cgi, .pl files in all subdirectories, looking for additional e-mail addresses. Yarner then uses its own SMTP engine (e-mail program) to send e-mails and connects to its own list of servers, including: 216.113.14.106 joy-go.gr.jp ctripserver.ctrip.com.cn 202.101.62.207 cocess.cocess.co.kr mail.bizpoint.com.sg ns2.webshock.co.kr olympus.mda.com.tr linux2.ele-china.com mailsvr.hanace.co.kr After it has sent copies of itself, Yarner then deletes all files in the Windows directory.