Re: Virus? Trojan?

gillettdavid@fhda.edu wrote:

> So far today, I've received two email messages from

One of the new Yaha variants is quite widespread right at the moment. Many scanners detect it as Yaha.K but, some suggest it is another variant, and I'm fairly sure it is what MessageLabs has listed as Yaha.M.

Anyway, we have seen cases of this being missed entirely by "block PE executable" type policies at some content filtering gateways because of faults in the gateway scanner's assumptions about MIME attachments (although these assumptions are based on correct interpretation of the relevant RFCs, virus writers and popular Email clients do not pay too slavish attention to RFC details...). I have also heard that (some versions of) NAV were missing this variant if updated via the auto-update method but then magically detect the virus if a manual update was forced.

Anyway, a normal copy of Yaha.K is 34,304 bytes and more of the filenames in the list it selects its "infected" Email message's attachment name from are .SCR types than any other -- about 3 to 1 -- so the odds are high it will come as an SCR attachment. I'd say the odds are good that you have been seeing a Yaha variant and probably Yaha.K. MessageLabs 24 hour reports show Yaha.M currently running second to Klez.H and well ahead of the rest of the pack and several vendors have raised alerts about the rate at which this is spreading.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com