<html>  <head>  <meta name="description" content="Analyse de virus de Sophos">  <meta name="keywords" content=" W32/Yaha-K Yaha-M yahak sophos anti-virus anti virus antivirus sweep viruses">  <title>Analyse de virus de Sophos: W32/Yaha-K</title>  <!-- SOPHOS Head: start --><meta name="MSSmartTagsPreventParsing" content="TRUE">  <script type="text/javascript" src="/javascript/frameworkpreload.js"></script>  <script type="text/javascript" src="/javascript/basic.js"></script>  <link href="/sophos/styles/sophos.css" rel="stylesheet" type="text/css">  <link href="/sophos/styles/menu.css" rel="stylesheet" type="text/css">   <!-- SOPHOS Head: end -->  </head>  <BODY background="/images/eng/framework/background-1600.gif" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0" bgcolor="#FFFFFF">   <a name="top"></a>  <!-- SOPHOS Header: start -->      <a name="TOP"></a> <!-- ImageReady Slices (top-bar.psd) -->      <table summary="Sophos - antivirus pour l'enterprise" width="668" border="0" cellpadding="0" cellspacing="0">  <tr>  <td rowspan="3"><map name="sophos"><area shape="rect" coords="8,10,168,50" alt="Sophos" href="/"></map><img src="/images/fra/framework/top-bar_01.gif" width="449" height="63" alt="Sophos - antivirus pour l'enterprise" border="0" ismap usemap="#sophos"></td>  <td rowspan="3" background="/images/fra/framework/top-bar_02.gif" align="right" width="145"><!-- Search Nav Start --><form method="post" action="/search/index.cgi"><input type="hidden" name="scope" value="whole_site"> <input type="hidden" name="lang" value="french"><input type="text" size="12" name="terms"><img src="/images/common/interface/spacer.gif" alt="" width="3" height="1"><!-- Search Nav End --></td>  <td colspan="2"><img src="/images/fra/framework/top-bar_03.gif" width="74" height="23" alt=""></td>  </tr>    <tr>  <td><!-- Searchbutton Nav Start --><input type="image" onmouseover="this.src='/images/fra/framework/top-bar_04-over.gif'" onmouseout="this.src='/images/fra/framework/top-bar_04.gif'" src="/images/fra/framework/top-bar_04.gif" width="66" height="18" border="0" alt="Rechercher"><!-- Searchbutton Nav End --></td></form>  <td><img src="/images/fra/framework/top-bar_05.gif" width="8" height="18" alt=""></td>  </tr>    <tr>  <td colspan="2"><img src="/images/fra/framework/top-bar_06.gif" width="74" height="22" alt=""></td>  </tr>  </table>              <!-- End ImageReady Slices -->    <table summary="Organisation de la page avec liens aux sections : Page d'accueil, A propos de Sophos et Contacts, ainsi qu'aux versions en langue anglaise, franaise, allemande, espagnole et japonaise de ce site Web." width="668" border="0" cellpadding="0" cellspacing="0">      <tr>      <td><!-- Home Nav Start --><a href="/" onmouseover="changeImages('button_bar_01', '/images/fra/framework/button-bar_01-over.gif'); return true;" onmouseout="changeImages('button_bar_01', '/images/fra/framework/button-bar_01.gif'); return true;"><img name="button_bar_01" src="/images/fra/framework/button-bar_01.gif" width="160" height="23" border="0" alt="Accueil"></a><!-- Home Nav End --></td>  <td><a href="http://www.sophos.com/" target="www.sophos.com" onmouseover="changeImages('button_bar_02', '/images/fra/framework/button-bar_02-over.gif'); return true;" onmouseout="changeImages('button_bar_02', '/images/fra/framework/button-bar_02.gif'); return true;"><img name="button_bar_02" src="/images/fra/framework/button-bar_02.gif" width="48" height="23" border="0" alt="www.sophos.com"></a></td>  <td><a href="http://www.sophos.de/" target="www.sophos.de" onmouseover="changeImages('button_bar_04', '/images/fra/framework/button-bar_04-over.gif'); return true;" onmouseout="changeImages('button_bar_04', '/images/fra/framework/button-bar_04.gif'); return true;"><img name="button_bar_04" src="/images/fra/framework/button-bar_04.gif" width="55" height="23" border="0" alt="www.sophos.de"></a></td>  <td><a href="http://esp.sophos.com/" target="esp.sophos.com" onmouseover="changeImages('button_bar_05', '/images/fra/framework/button-bar_05-over.gif'); return true;" onmouseout="changeImages('button_bar_05', '/images/fra/framework/button-bar_05.gif'); return true;"><img name="button_bar_05" src="/images/fra/framework/button-bar_05.gif" width="52" height="23" border="0" alt="esp.sophos.com"></a></td>  <td><img src="/images/fra/framework/button-bar_03-over.gif" width="55" height="23" border="0" alt="www.sophos.fr"></td>  <td><a href="http://www.sophos.it/" target="www.sophos.it"  onmouseover="changeImages('italiano', '/images/eng/framework/italiano-over.gif'); return true;" onmouseout="changeImages('italiano', '/images/eng/framework/italiano.gif'); return true;"><img name="italiano" src="/images/eng/framework/italiano.gif" width="52" height="23" border="0" alt="www.sophos.it"></a></td>  <td><a href="http://www.sophos.co.jp/" target="www.sophos.co.jp" onmouseover="changeImages('button_bar_06', '/images/fra/framework/button-bar_06-over.gif'); return true;" onmouseout="changeImages('button_bar_06', '/images/fra/framework/button-bar_06.gif'); return true;"><img name="button_bar_06" src="/images/fra/framework/button-bar_06.gif" width="48" height="23" border="0" alt="www.sophos.co.jp"></a></td>  <td><img src="/images/fra/framework/button-bar_07.gif" width="85" height="23" alt=""><img src="/images/eng/framework/grey-bar-blank-spacer.gif" width="59" height="23" alt=""></td>  <td><!-- Contact Nav Start --><a href="/companyinfo/contacting" onmouseover="changeImages('button_bar_09', '/images/fra/framework/button-bar_09-over.gif'); return true;" onmouseout="changeImages('button_bar_09', '/images/fra/framework/button-bar_09.gif'); return true;"><img name="button_bar_09" src="/images/fra/framework/button-bar_09.gif" width="54" height="23" border="0" alt="Contact"></a><!-- Contact Nav End --></td>  </tr>        <!-- End ImageReady Slices -->  <tr>  <td valign="top" bgcolor="#A2B1AE" background="/images/common/interface/spacer_a2b1ae.gif"><img src="/images/common/interface/spacer.gif" alt="" width="1" height="10">     <table summary="Organisation de la page avec liens aux sections : Infos produit, Tlchargements, Support, Infos virus, Infos socit, Infos presse, Partenaires et OEM." border="0" width="160" cellpadding="3" cellspacing="0">               <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="/products/"><nobr>Infos Produits</nobr></a><!-- SOPHOS Insert products SubMenu --></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="/downloads/"><nobr>Tlchargements</nobr></a><!-- SOPHOS Insert downloads SubMenu --></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="/support/"><nobr>Support</nobr></a><!-- SOPHOS Insert support SubMenu --></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="/virusinfo/"><nobr>Infos Virus</nobr></a>             <table border="0" cellpadding="2" cellspacing="0">               <tr>                 <td><img src="/images/common/interface/spacer.gif" alt="" width="1" height="2"></td>               </tr>                              <tr>                     <td><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"><a class="menusub" href="/virusinfo/analyses"><nobr>Analyses de virus</nobr></a></td>                 </tr>                              <tr>                     <td><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"><a class="menusub" href="/virusinfo/hoaxes"><nobr>Canulars et craintes</nobr></a></td>                 </tr>                              <tr>                     <td><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"><a class="menusub" href="/virusinfo/explained"><nobr>Virus expliqus</nobr></a></td>                 </tr>                              <tr>                     <td><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"><a class="menusub" href="/virusinfo/articles"><nobr>Articles</nobr></a></td>                 </tr>                              <tr>                     <td><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"><a class="menusub" href="/virusinfo/whitepapers"><nobr>Livres blancs</nobr></a></td>                 </tr>                              <tr>                     <td><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"><a class="menusub" href="/virusinfo/topten"><nobr>Top ten des virus</nobr></a></td>                 </tr>                              <tr>                     <td><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"><a class="menusub" href="/virusinfo/notifications"><nobr>Alerte par e-mail</nobr></a></td>                 </tr>                              <tr>                     <td><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"><a class="menusub" href="/virusinfo/infofeed"><nobr>Infos en continu</nobr></a></td>                 </tr>             </table></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="/companyinfo/"><nobr>Infos Socit</nobr></a><!-- SOPHOS Insert companyinfo SubMenu --></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="/pressoffice/"><nobr>Infos Presse</nobr></a><!-- SOPHOS Insert pressoffice SubMenu --></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="/partners/"><nobr>Partenaires</nobr></a><!-- SOPHOS Insert partners SubMenu --></td>           </tr>                      <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="/oem/"><nobr>OEM</nobr></a><!-- SOPHOS Insert oem SubMenu --></td>           </tr>                              <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="//"><nobr></nobr></a><!-- SOPHOS Insert  SubMenu --></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="//"><nobr></nobr></a><!-- SOPHOS Insert  SubMenu --></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="//"><nobr></nobr></a><!-- SOPHOS Insert  SubMenu --></td>           </tr>                     <tr>           <td><img src="/images/common/interface/spacer.gif" alt="" width="10" height="1"><a class="menumain" href="//"><nobr></nobr></a><!-- SOPHOS Insert  SubMenu --></td>           </tr>              </table>    </td>  <!-- End menu -->  <td width="500" valign="top" colspan="12"><!-- Start subheading -->  <table summary="" border="0" cellpadding="0" cellspacing="0" width="491">  <tr>  <td width="100%" align="right" valign="top"><img src="/images/common/interface/spacer.gif" alt="" width="2" height="6" border="0"></td>  </tr>    <tr>  <td width="100%" align="right" valign="bottom"><b><a href="/">Accueil </a><img src="/images/common/interface/blue.gif" width="12" height="11" alt=">">  <a href="/virusinfo">Infos Virus</a>  <img src="/images/common/interface/blue.gif" width="12" height="11" alt=">">  <a href="/virusinfo/analyses">Analyses de virus</a>  </b> </td>  </tr>    <tr>  <td width="100%" align="right" valign="top"><img src="/images/common/interface/linepointleft.gif" width="480" height="11" border="0" alt=""></td>  </tr>  </table>    <br>   <!-- End subheading -->       <table summary="" border="0" cellpadding="8" width="100%">  <tr>  <td width="100%" valign="top">   <!-- SOPHOS Header: end -->  <table border="0" cellpadding="3" cellspacing="3" width="100%">  <tr><td><h3>W32/Yaha-K</h3></td></tr>  <tr><th class="DividerStandard" align="left" nowrap="nowrap">Alias </th></tr>  <tr><td>Yaha-M</td></tr>  <tr><td><img src="/images/common/interface/spacer.gif" width="1" height="1"></td></tr>  <tr><th class="DividerStandard" align="left" nowrap="nowrap">Type </th></tr>  <tr><td><a href="/virusinfo/articles/glossary.html#w32worm">Ver Win32</a></td></tr>  <tr><td><img src="/images/common/interface/spacer.gif" width="1" height="1"></td></tr>  <tr><th class="DividerStandard" align="left" nowrap="nowrap">Dtection</th></tr>  <tr><td>Dtect par Sophos Anti-Virus depuis dcembre 2002.</td></tr>  <tr><td><img src="/images/common/interface/spacer.gif" width="1" height="1"></td></tr>  <tr><th class="DividerStandard" align="left" nowrap="nowrap">Description </th></tr>  <tr><td><p>W32/Yaha-K cre trois fichiers dans votre rpertoire systme: WinServices.exe, nav32_loader.exe et tcpsvc32.exe . Tous ces fichiers sont des copies exactes du ver. </p> <p>W32/Yaha-K ajoute les entres suivantes dans votre base de registres, pour faire excuter le fichier WinServices.exe chaque fois que vous dmarrez l'ordinateur ou que vous vous connectez sur le rseau. </p> <p>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winservices<br>="%SYSFOLDER%\WinServices.exe" </p> <p>HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winservices<br>="%SYSFOLDER%\WinServices.exe" </p> <p>W32/Yaha-K dfinit galement la cl de registre suivante: </p> <p>HKCR\CLASSES\exefile\shell\open\command\(Default)<br>=""%SYSFOLDER%\nav32_loader.exe" "%1" %*" </p> <p>Cela signifie que W32/Yaha-K est excut chaque fois que vous lancez un programme EXE (fichier excutable). </p> <p>Une copie supplmentaire du ver peut aussi apparatre dans le dossier systme avec l'un des noms suivants :<br><tt>Be_Happy.scr<br>Best_Friend.scr<br>colour_of_life.scr<br>dance.scr<br>Friend_Finder.exe<br>Friend_Happy.scr<br>friendship.scr<br>friendship_funny.scr<br>funny.scr<br>GC_Messenger.exe<br>hotmail_hack.exe<br>I_Like_You.scr<br>life.scr<br>love.scr<br>shake.scr<br>Sweet.scr<br>True_Love.scr<br>world_of_friendship.scr</tt> </p> <p>Une fois lanc, W32/Yaha-K reste rsident en mmoire en tant que processus non visible dans la liste des tches. Le ver se protge activement contre les logiciels antivirus, en prenant par exemple les mesures suivantes: </p> <p><ul><li>il restaure automatiquement la valeur de l'association "exefile" ds que vous ditez le registre systme</li><br><li>il dsactive tout un ensemble de logiciels antivirus, firewall et de programmes ddis aux services internet en faisant correspondre les noms de processus avec la liste suivante :</li><br><tt>_AVP32, _AVPCC, _avpm, ACKWIN32, ALERTSVC, AMON.EXE, ANTIVIR, ATRACK, AVCONSOL, AVP.EXE, AVPCC.EXE, AVPM.EXE, AVSYNMGR, CFINET, CFINET32, ESAFE.EXE, F-AGNT95, F-PROT95, FP-WIN, FRW.EXE, F-STOPW, IAMAPP, IAMSERV.EXE, IOMON98, LOCKDOWN2000, LOCKDOWNADVANCED, LUCOMSERVER, MCAFEE, N32SCANW, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NISSERV, NORTON, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, PCCIOMON, PCCMAIN, PCCWIN98, PCFWALLICON, POP3TRAP, PVIEW, PVIEW95, REGEDIT, RESCUE32, RMVTRJANSAFEWEB, SCAN32, SWEEP95, SYMPROXYSVC, TDS2-98, TDS2-NT, Vet95, VETTRAY, VSECOMR, VSHWIN32, VSSTAT, WEBSCANX, WEBTRAP, ZONEALARM</tt></ul> </p> <p>W32/Yaha-K arrive dans un e-mail qui peut avoir l'un des nombreux objets, corps de message et pices jointes. De plus, l'adresse de l'expditeur peut tre fausse. </p> <p>L'objet de l'e-mail est choisi alatoirement parmi la liste suivante :<br><tt>Are you a Soccer Fan ?<br>Are you beautiful<br>Are you in Love<br>Are you looking for Love<br>Are you the BEST<br>Check it out<br>Check this shit<br>Check ur friends Circle<br>Demo KOF 2002<br>Feel the fragrance of Love<br>Find a good friend<br>Freak Out<br>Free Demo Game<br>Free rAVs Screensavers<br>Free Screenavers of Love<br>Free Screensavers<br>Free Screensavers 4 U<br>Free Win32 API source<br>Free XXX<br>Hardcore Screensavers 4 U<br>Hello<br>hey check it yaar<br>Hi<br>How sweet this Screen saver<br>I am in Love<br>I Love You<br>I Love You..<br>Jenna 4 U<br>Learn How To Love<br>Learn SQL 4 Free<br>Let',27h,'s Dance and forget pains<br>Looking for Friendship<br>love speaks from the heart<br>Lovers Corner<br>make ur friend happy<br>Need a friend?<br>Need money ??<br>One Hacker',27h,'s Love<br>One Virus Writer',27h,'s Story<br>Patch for Elkern.gen<br>Patch for Klez.H<br>Play KOF 2002 4 Free<br>Project<br>Sample KOF 2002<br>Sample Playboy<br>Sample Screensavers<br>Say ',27h,'I Like You',27h,' To ur friend<br>Screensavers from Club Jenna<br>Sexy Screensavers 4 U<br>Shake it baby<br>The Hotmail Hack<br>The King of KOF<br>The world of Friendship<br>Things to note<br>to ur friends<br>to ur lovers<br>True Love<br>U realy Want this<br>Visit us<br>Wanna be a HE-MAN<br>Wanna be friends ?<br>Wanna be friends ??<br>Wanna be like a stone ?<br>Wanna be my sweetheart ??<br>Wanna Brawl ??<br>Wanna Hack ??<br>Wanna Rumble ??<br>war Againest Loneliness<br>We want peace<br>Whats up<br>Who is ur Best Friend<br>Who is your Valentine<br>World Tour<br>Wowwwwwwwwwww check it<br>WWE Screensavers<br>XXX Screensavers 4 U<br>You are so sweet</tt> </p> <p>Le corps du message est choisi alatoirement parmi les textes suivants :<br>"hey,<br>did u always dreamnt of hacking ur friends hotmail account..<br>finally i got a hotmail hack from the internet that really works..<br>ur my best friend thats why sending to u..<br>check it..just run it..enter victim's address and u will get the pass." </p> <p>"hi,<br>check the attached love screensaver<br>and feel the fragrance of true love.." </p> <p>"Hi,<br>check the attached screensaver..<br>its really wonderfool..<br>i got it from freescreensavers.com" </p> <p>"Hi,<br>check ur friends circle using the attached friendship screensaver..<br>check the attached screensaver<br>and if u like it send it to all those you consider<br> to be true friends... if it comes back to you then<br> you will know that you have a circle of friends.." </p> <p>"Hi,<br>check the attached screensaver<br>and enjoy the world of friendship.." </p> <p>"Hi,<br>are u in a rocking mood...<br>check the attached scrennsaver and start shaking.." </p> <p>"Hi,<br>Check the attached screensaver.." </p> <p>"Hi,<br>Are you lonely ??.. <br>check the attached screensaver and <br>forget the pain of loneliness" </p> <p>"Hi,<br>Looking for online pals.. <br>check the attached friend finder software.." </p> <p>"Hi,<br>sending you a screensaver..<br>check it and let me know how it is..." </p> <p>"Hi,<br>Check the attached screensaver<br>and feel the fragrance of true love..." </p> <p>"Hey,<br>I just got this wonderfull screensaver from freescreensaver.com..<br>Just check it out and let me know how it is.." </p> <p>"Hi,<br>I just came across it.. check out..<br> =====================================================<br>Are you one of those unfortunate human beings who are desperately<br>looking for friends.. but still not getting true friends with whom<br>you can share your everything.. </p> <p>anyway you wont feel down any more cause GC Chat Network has brought<br>up a global chat and online match making system using its own GC <br>Messenger. Attached is the fully functional free version of GC<br>Instant Messenger and Match Making client..<br>Just install, register an account with us and find thousands of online<br>pals all over the world..<br>You can also search for friends by specific country,city,region etc. </p> <p>Regards Admin,<br>GC Global Chat Network System.." </p> <p>"Hi,<br>So you think you are in love.. <br>is it true love ? you may think right now that you are in<br>true love but it is certainly possible that it is nothing<br>but a mere infatuation to you.. </p> <p>anyway to know yourself better than you have ever known check<br>the attached screensaver and feel the fragrance of true love.." </p> <p>"Hey pal,<br>you know friendship is like a business...<br>to get something you need to give something..<br>though its not that harsh as business but to<br>get love and care from your friends you need to give<br>love,care and respect to your friends.. right </p> <p>check the attached screensaver and you will learn how to<br>make your friends happy.." </p> <p>"Hi,<br>Its quite obvious that in our life we have numerous friends<br>but.. BUT Best Friend can only be ONE.. right <br>so can you decide who is your best friend <br>i guess not.. cause mostly you will find that your best friend<br>wont care about u like somebody else.. </p> <p>anyway i found one way to find who is my best friend..<br>check it.. <br>just check the attached screensaver.. answer some questions<br>in it and also ask your best friend to answer the questions.. </p> <p>..then you will know more about him.." </p> <p>"Hey pal,<br>wanna have some fun in life... <br>feel like life is too boring and monotonous..<br>check the attached screensaver and bring colours<br>to your black & white life.. :)" </p> <p>"Hi,<br>I just came across this funny screensaver..<br>sending it to u.. hope u like it..<br>check out and die laughing..:)" </p> <p>"&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt; </p> <p>This E-Mail is never sent unsolicited. If you receive this<br>E-Mail then it is because you have subscribed to the official<br>newsletter at the KOF ONLINE website. </p> <p>King Of Fighters is one of the greatest action game ever made.<br>Now after the mind boggling sucess of KOF 2001 SNK proudly <br>presents to you KOF 2002 with 4 new charecters. </p> <p>Even though we need no publicity for our product but this<br>time we have decided to give away a fully functional trial <br>version of KOF 2002. So check out the attached trialversion<br>of KOF 2002 and register at our official website to get a free<br>copy of KOF2002 original version </p> <p>Best Regards,<br>Admin,KOF ONLINE.. </p> <p>&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;&lt;&lt;&lt;&lt;&lt;&gt;&gt;&gt;&gt;&gt;" </p> <p>"Hello,<br>I just came across your email ID while searching in the Yahoo profiles.<br>Actually I want a true friend 4 life with whom I can share my everything.<br>So if you are interested in being my friend 4 life then mail me. </p> <p>If youwanna know about me, attached is my profile along with some of my<br>pics. You can check and if you like it then do mail me.<br>I will be waiting for your mail. </p> <p>Best Wishes,<br>Your Friend.." </p> <p>"Hello,<br>Looking for some Hardcore mind boggling action ?<br>Install the attached browser software and browse<br>across millions of paid hardcore sex sites for free.<br>Using the software you can safely and easily browse<br>across most of the hardcore XXX paid sites across the<br>internet for free. Using it you can also clean all<br>traces of your web browsing from your computer. </p> <p>Note:The attached browser software is made exclusivley<br>for demo only. You can use the software for a limited<br>time of 35 days after which you have to register it<br>at our official website for its furthur use. </p> <p>Regards,<br>Admin." </p> <p>"Klez.H is the most common world-wide spreading worm.It's very dangerous by <br>corrupting your files. </p> <p>Because of its very smart stealth and anti-anti-virus technic,most common AV <br>software can't detect or clean it. </p> <p>We developed this free immunity tool to defeat the malicious virus. </p> <p>You only need to run this tool once,and then Klez will never come into your PC" </p> <p>"Hello,<br>The attached product is send as a part of our official campaign<br>for the popularity of our product.<br>You have been chosen to try a free fully functional sample of our<br>product.If you are satified then you can send it to your friends.<br>All you have to do is to install the software and register an account<br>with us using the links provided in the software. Then send this software<br>to your friends using your account ID and for each person who registers<br>with us through your account, we will pay you $1.5.Once your account reaches<br>the limit of $50, your payment will be send to your registration address by<br>check or draft. </p> <p>Please note that the registration process is completely freewhich means<br>by participating in this program you will only gain without loosing anything. </p> <p>Best Regards,<br>Admin," </p> <p>La pice jointe contenant le ver peut avoir l'un des noms de fichier suivants : </p> <p><tt>Be_Happy.scr<br>Beautifull.scr<br>Best_Friend.scr<br>Body_Building.scr<br>Britney_Sample.scr<br>Codeproject.scr<br>colour_of_life.scr<br>Cupid.scr<br>dance.scr<br>FixElkern.com<br>FixKlez.com<br>FreakOut.exe<br>Free_Love_Screensavers.scr<br>Friend_Finder.exe<br>Friend_Happy.scr<br>friendship.scr<br>friendship_funny.scr<br>funny.scr<br>GC_Messenger.exe<br>Hacker.scr<br>Hacker_The_LoveStory.scr<br>Hardcore4Free.scr<br>hotmail_hack.exe<br>I_Like_You.scr<br>I_Love_You.scr<br>Jenna_Jemson.scr<br>King_of_Figthers.exe<br>KOF.exe<br>KOF_Demo.exe<br>KOF_Fighting.exe<br>KOF_Sample.exe<br>KOF_The_Game.exe<br>KOF2002.exe<br>life.scr<br>Love.scr<br>love.scr<br>My_Sexy_Pic.scr<br>MyPic.scr<br>MyProfile.scr<br>Notes.exe<br>Peace.scr<br>Playboy.scr<br>Plus2.scr<br>Plus6.scr<br>Project.exe<br>Ravs.scr<br>Real.scr<br>Romantic.scr<br>Romeo_Juliet.scr<br>Screensavers.scr<br>Services.scr<br>Sex.scrSoccer.scr<br>Sexy_Jenna.scr<br>shake.scr<br>Stone.scr<br>Sweet.scr<br>Sweetheart.scr<br>The_Best.scr<br>THEROCK.scr<br>True_Love.scr<br>up_life.scr<br>Valentines_Day.scr<br>VXer_The_LoveStory.scr<br>Ways_To_Earn_Money.exe<br>world_of_friendship.scr<br>World_Tour.scr<br>xxx4Free.scr<br>zDenka.scr<br>zXXX_BROWSER.exe</tt> </p> <p>L'e-mail peut contenir un champ DE construit  partir de deux listes. Le nom est pris dans la premire liste et l'adresse e-mail de la seconde en fonction de la position du nom dans la premire liste : </p> <p><b>"Noms"</b><br><tt>admin@hackers.com<br>admin@hackersclub.com<br>admin@viruswriters.com<br>American Beauty<br>Benting<br>britneyspears.org<br>Cathy Kindergarten<br>Clark Steel<br>Club Jenna<br>Codeproject<br>Cupid<br>Hardcore Screensavers<br>Iori Yagami<br>Jasmine Stevens<br>Jaucques Antonio Barkinstein<br>Jenna Jameson<br>Jericho<br>John Vandervochich<br>Jonathan<br>Keanu Stevenson<br>Klein Anderson<br>KOF Online<br>Kyo Kusanagi<br>Love Inc.<br>Lovers Screensavers<br>McAfee Inc.<br>me2K<br>Nicolas Schwarzeneggar<br>Nomadic Screensavers<br>Noopman<br>Norton Antivirus<br>Omega Rugal<br>Paul Owen<br>Playboy Inc.<br>Plus 2<br>Plus 6<br>Ralph Jones<br>Raveena Pusanova<br>Real Inc.<br>Rocking Stone<br>Romantic Screensavers<br>Romeo & Juliet<br>Ross Anderson<br>Screensavers of Love<br>Sexy Screensavers<br>SQL Library<br>Super Soccer<br>Susan<br>Terry Bogard<br>The Rock<br>Trend Micro<br>Valentine Screensavers<br>Veronica Anderson<br>XXX Screensavers<br>Zdenka Podkapova<br>zporNstarS</tt> </p> <p><b>"Adresses e-mail"</b><br><tt>admin@clubjenna.com<br>admin@codeproject.com<br>admin@kofonline.com<br>admin@zpornstars.com<br>av_patch@mcafee.com<br>av_patch@norton.com<br>av_patch@trendmicro.com<br>btq@263.com<br>caijob@online.sh.cn<br>cathy@21cn.com<br>cupid@freescreensavers.com<br>DNA_seraph@163.com<br>ericpan@online.com.pk<br>free@hardcorescreensavers.com<br>free@sexyscreensavers.com<br>free@sql.library.com<br>free@xxxscreensavers.com<br>hamada@seikosangyo.com <br>jenna@jennajameson.com<br>kkn@k2k.comscreensavers@nomadic.com<br>kl@aminoprojects.com<br>love@lovescreensavers.com<br>loverscreensavers@love.com<br>lubing@7135.com<br>luoairong@21cn.com<br>marketing@suppersoccer.com<br>me@me2K.com<br>newsletters@britneyspears.org<br>nics@nomadic.com<br>paul@kqscore.com<br>plus@real.com<br>ravs@go2pussy.com<br>romanticscreensavers@love.com<br>sales@playboy.com<br>sales@real.com<br>samsun@online.sh.cn<br>screensavers@lovers.com<br>services@tcsonline.com<br>stone@esterplaza.com<br>super@21cn.com<br>therock@wwe.com<br>valentinescreensavers@t2k.com<br>yjworks@online.sh.cn<br>zdenka@zpornstars.com<br>zhouyuye@citiz.net</tt> </p> <p>Il n'est pas ncessaire que l'utilisateur double-clique sur la pice jointe pour devenir infect car le ver peut exploiter une faille de scurit dans Microsoft Internet Explorer, Outlook et Outlook Express. Pour empcher la rinfection, les utilisateurs de Microsoft Outlook et Outlook Express devront installer le correctif Microsoft suivant :<br><a href="http://www.microsoft.com/technet/security/bulletin/MS01-027.asp" target="Microsoft">http://www.microsoft.com/technet/security/bulletin/MS01-027.asp</a><br>(Ce correctif adresse de nombreuses failles dans les logiciels Microsoft, incluant celle exploites par ce ver.) </p> <p>Le 25 mars et le 22 mai, le virus peut afficher une bote de message contenant le texte <tt>"Happy Birthday Dear"</tt>. Aussi, le fonctionnement des boutons de la souris peut tre invers. </p> <p>Les jeudis W32/Yaha-K ralisera les trois actions suivantes :<br><ul><li>configure avec l'attribut cach tous les fichiers et dossiers dans le dossier Personal Shell, gnrallement Mes Documents</li><br><li>cre un fichier texte nomm aYerHS.txt sur le Bureau contenant l'un des cinq messages suivants :</li><br>"==================================================<br>W32.@YerH$.B,Made in India,<br>wE aRe thE greAt iNdIaNs..<br>----------------------------<br>aBouT mE :<br>jUst a c0mputEr gEEk..<br>i tHinK i aM sTill a sCripT kiddiE..<br>eDucAtiOn : sCh00l sTudEnt..<br>aBouT @YerH$.B:<br>n0 dEstrucTivE paYload$ f0r inFecTeD c0mpUteRs.<br>teRminAtioN oF aV + FireWaLL f0r sUrvIvaL.<br>tImE dEfiNed tRigErRinG.. jUst f0r fUn.. n0 paYloaD.<br>c0ntAinS bUg iN rEpliCation c0de.. no tIme t0 fiX.<br>g0nNa fiX iT iN nExt rElEase..<br>n0 m0rE $hiT<br>===================================================" </p> <p>"==================================================<br>W32.@YerH$.B,Made in India,<br>wE aRe thE greAt iNdIaNs..<br>----------------------------<br>spEciAl 10x to c0bra..<br>f0r inSpirAtIon + c0dIng hElp..<br>==================================================" </p> <p>"=================================================<br> W32.@YerH$.B,Made in India<br> wE aRe thE greAt iNdIaNs..<br> ----------------------------<br> wAnT peAce aNd pr0speRity in InDiA ?..<br>f**k tHe c0rruptEd p0litiCian$..no shit$ nEEdeD..<br>mErA bhAraT mAhaN ??.. n0t yeT..wE nEEd t0 mAkE iT..<br>talenT & hArd w0rK shOulD be rEspEctEd..<br>sElf stYleD a**H***$ mUsT bE eLimInatEd....<br>n0 m0re $hiT m0n0p0lY..<br> =================================================" </p> <p>"=================================================<br>W32.@YerH$.B,Made in India.<br>wE aRe thE greAt iNdiAnS.<br>----------------------------<br>iNdiAn hAckeRs + vXerS teAm up...<br>aNd kicK lamEr a**<br>no m0re pAk shIT..<br>itZ oUr tiMe to shOw tHem, the p0wer of teaM w0rk.<br>f**k AIC,GFORCE,SILVERLORDS,WFD..f*****g k1dd1es..<br>no sHit bUsineSS iN heRe aNd<br>nO lamE stuFF..<br>=================================================" </p> <p>"==================================================<br>r0xx pReSaNt$ W32.@YerH$.B (all r1ght$ re$erv3d.. ;) )<br>w3 aRe tHe gRe@t 1nD1aN$..<br>------------------------------------------------------<br>m@iN mIssIoN iS t0 sPreAd tHe nAmE @YerH$<br>s00 mUch t0 c0me..<br>iNclUdEd DDoS c0mp0neNtS c@usE oF sHiT p@kI l@meRs<br>eXp3ct th3 uNeXp3ctEd<br>dEdic@t3d t0 : mY b3$t fRi3nD<br> ==================================================" </p> <p><li>change la page d'accueil par dfaut d'Internet Explorer par l'entre de la base de registre HKLM\Software\Microsoft\Internet Explorer\Main  l'un des sites Web suivants : <tt>www.hrvg.tk, www.hackersclub.up.to, geocities.com/snak33ys, www.unixhideout.com, www.hirosh.tk, www.neworder.box.sk, www.blacksun.box.sk, www.coderz.net, www.hackers.com/html/neohaven.html, www.ankitfadia.com.</tt></li></ul> </p> <p>Enfin, W32/Yaha-K excutera une attaque par dni de service contre le site Web du gouvernemant pakistanais <tt>infopak.gov.pk</tt>.</p></td></tr>  <tr><td><img src="/images/common/interface/spacer.gif" width="1" height="1"></td></tr>  <tr><th class="DividerStandard" align="left" nowrap="nowrap"> Gurison </th></tr>  <tr><td><p>Veuillez lire les instructions pour <a href="/support/disinfection/yaharemove.html">dsinfecter W32/Yaha-E, K et L</a>.</p></td></tr>  <tr><td><img src="/images/common/interface/spacer.gif" width="1" height="1"></td></tr>  </table>      <BR><BR><BR>  <H3 class="seealso">Voir aussi :<BR>  <IMG src="/images/common/interface/linepointright.gif" width="470" height="11" border="0"></H3>    <TABLE border="0" cellpadding="0" cellspacing="0">    <TR>  <TD align="left" valign="top" width="18"><IMG src="/images/common/interface/circuitpoint.gif" width="12" height="12" border="0" alt="*" vspace="2"></TD>  <TD><a href="/virusinfo/notifications/">Abonnez-vous au service d'alerte gratuit des nouveaux virus</a></TD>  </TR>   <TR>  <TD align="left" valign="top" width="18"><IMG src="/images/common/interface/circuitpoint.gif" width="12" height="12" border="0" alt="*" vspace="2"></TD>  <TD> <a href="/virusinfo/infofeed/">Incorporez  votre site web ou intranet des informations sur les virus</a></TD>  </TR>   </TABLE>    <!-- SOPHOS Footer: start --></td></tr></table>  <br><br><br>  </td>  </tr>  <tr>  <td width="160">&nbsp;</td>  <td valign="bottom" align="left" colspan="6">&nbsp;</td>  <td valign="bottom" align="right" colspan="6"><a href="/"><img src="/images/common/sophos-logos/sophos103x23.gif" alt="Sophos logo" width="103" height="23" border="0"></a><img src="/images/common/interface/spacer.gif" alt="" width="15" height="1"></td>  </tr>  </table>   <!-- SOPHOS Footer: end -->  </BODY>  </html> 
