K Strain of Yaha Worm Causes Headaches

Two major anti-virus vendors upgraded the threat level on a variant of the Yaha virus as the mass-mailing worm spilled outside of its original range in the Middle East and Europe into the United States.

Symantec boosted the K strain of the Yaha virus from Category 2 to Category 3 on its five-level threat classification system. McAfee upgraded the K strain to a "Medium" threat.

Yaha K, which has also gone by the strain letter M, spreads as a 34-KB attachment on messages with varying subject and attachment names and message body texts. It spreads through e-mail using its own internal SMTP client, which searches the Windows registry for an SMTP server or uses one from a list contained in the worm itself, according to Sophos.

Yaha can take addresses from the Windows Address Book, MSN Messenger, .NET Messenger Services, Yahoo! Pagers and all files with extensions containing the letters HT, according to Symantec.

The worm terminates anti-virus and other security-related processes, while launching a denial-of-service attack against a Pakistani target server that is hard-coded into the worm, McAfee's description of the worm says.

The original version of Yaha appeared in March, according to MessageLabs Ltd.'s Web site. Different packages containing a J variant went out in December, causing confusion among anti-virus vendors and customers about whether systems were protected, MessageLabs experts contend. Meanwhile, the most virulent strain yet, Yaha K, which was different from the three J versions, was first stopped by MessageLabs on Dec. 21 in Kuwait. MessageLabs stoppage activity involving Yaha K peaked on Monday at more than 8,000, and the company has stopped the worm 37,463 times since Dec. 21.

Those volumes are substantially lower than Klez and Bugbear at their peak. For example, in the last 24 hours, according to the MessageLabs site, the A-V vendor stopped Klez 14,715 times compared to 6,560 times for Yaha K.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

  • Most Microsoft Retail Locations To Shut Down

    Microsoft is pivoting its retail operations to focus more on online sales, a plan that would mean the closing of most physical Microsoft Store locations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.