Yarner: Not Every Anti-Virus Is the Real McCoy

19 Feb 2002
Virus News

Kaspersky Lab, an international data-security software developer, announces the detection of the new, highly dangerous Internet worm "Yarner" that disguises itself as the anti-virus program YAW. At this time, there have been reports of mass-infection caused by this malicious program in Germany. Yarner skillfully hides under the guise of an official message from the popular German Web site that handles anti-virus security problems. Yarner spreads via e-mail in attached files. An infected e-mail has the following characteristics:
The sender's address is chosen at random from the following:
  • Trojaner-Info [the actual e-mail of the infected computer] or
  • Trojaner-Info [webmaster@trojaner-info.de]
Attachment: YAWSETUP.EXE Subject: Trojaner-Info Newsletter [infected computer's current date] Body:
Hallo !

  Willkomen zur neuesten Newsletter-Ausgabe der Webseite Trojaner-Info.de. 
  Hier die Themen im Ueberblick:

  1. YAW 2.0 - Unser Dialerwarner in neuer Version

  ************************************

  1. YAW 2.0 - Unser Dialerwarner in neuer Version
  Viele haben ihn und viele moegen ihn - unseren Dialerwarner YAW. YAW ist
  nun in einer brandneuen und stark erweiterten Version verfuegbar. Alle unsere
  Newsletterleser bekommen ihn kostenlos zusammen mit diesem Newsletter.
  Also einfach die angehaengte Datei starten und YAW 2.0 installieren. Bei Fragen
  steht Ihnen der Programmierer des bislang einzigartigen Programmes Andreas Haak
  unter andreas@ants-online.de zur Verf?gung. Viel Spa- mit YAW!

  
Should a user not exercise caution and open the attached YAWSETUP.EXE file, and should an active anti-virus not be in use, the worm launches its infecting procedures on the victim computer and begins spreading. Firstly, Yarner creates an additional file in the Windows directory with a random name (up to 100 symbols) and registers the file in the Windows system registry auto-run key. In this way, the worm is activated upon each system restart. In order to send itself via e-mail, Yarner obtains access to the MS Outlook address book and scans all .PHP, .HTM, .SHTM, .CGI, .PL files in the Windows directory, and gets e-mail addresses from there. This information is copied to the files KERNEI32.DAA and KERNEI32.DAS. Following this, the worm connects to a remote SMTP server, through which the worm sends its copies. Yarner has exceptionally dangerous and destructive features. In one in ten cases, after having sent its e-mail copies, the worm destroys all data and information on an infected computer. "Trojaner-Info, supposedly in whose name the infected messages are sent, is a popular German resource for solving anti-virus security problems. This service has no relationship whatsoever to this current epidemic. What is occurring now simply confirms once again that an e-mail address and a message text can be easily falsified, and with the use of this trick, a user has a malicious program thrust upon him or herself," commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. In connection with the latest epidemic, Kaspersky Lab once again recommends that users be absolutely careful when dealing with attached files, even if they have purportedly arrived from an anti-virus developer. Defense procedures thwarting the Yarner Internet worm have already been added to the Kaspersky Anti-Virus database. More detailed information pertaining to I-Worm.Yarner can be found in the Kaspersky Virus Encyclopedia.