Threat Upgraded as Yaha Worm Spreads
Hanging on through the new Year, the threat of the Yaha computer virus has been upgraded.
Originally found on Dec. 21 in Kuwait, the virus, detected with several variants, has begun spreading more rapidly and widely around the world. Yaha.K (also known as W32/Yaha.k and W32.yaha.L@mm) is a mass-mailing worm that propagates through email using its own email engine.
Anti-virus vendors are warning of a new version of the worm and a few have upgraded its threat level. MessageLabs rates it as a `high risk' and Symantec has upgraded it from a Level 1 threat to a Level 2.
And the security analysts at MessageLabs say the new virus strains are leading to a naming confusion that's hampering anti-virus vendors' ability to fight the Yaha worm.
''The release strategy chosen by the authors of the Yaha virus has created chaos with the naming conventions used by the anti-virus industry, causing problems for vendors and consumers alike,'' says MessageLabs analysts in a written statement. ``The first problem was caused by releasing several variants of the virus in a short space of time... So, one anti-virus vendor may discover a new variant and assign it the letter C. Meanwhile, a different anti-virus vendor may discover a different new variant, and also assign it the letter C.''
The worm was originally confined mainly to the Middle East but has started rapidly spreading around the globe, causing several anti-virus vendors to up its threat level status.
Message Labs notes that as of noon EST on Jan. 2, it had stopped more than 36,272 cases of the Yaha worm in about 100 countries. The countries hardest hit, so far, are the Netherlands, Great Britain and Canada.
The Yaha worm attacks Windows systems (Windows 95, 98, NT, 2000, XP and ME) and it also can retrieve addresses from Yahoo Messenger, MSN Messenger and .Net Messenger service directories. Anti-virus vendors warn that it shows up in victims' inboxes with any one of dozens of subject lines, including `Free Demo Game' and `XXX Screensavers For You'.
The `From' addresses are forged and the message is an attachment with a randomly generated name.
To block the worm, according to a warning from F-Secure, strip attachments ending with .SCR, .EXE and .COM at the firewall.