K Strain of Yaha Worm Causes Headaches

Two major anti-virus vendors upgraded the threat level on a variant of the Yaha virus as the mass-mailing worm spilled outside of its original range in the Middle East and Europe into the United States.

Symantec boosted the K strain of the Yaha virus from Category 2 to Category 3 on its five-level threat classification system. McAfee upgraded the K strain to a "Medium" threat.

Yaha K, which has also gone by the strain letter M, spreads as a 34-KB attachment on messages with varying subject and attachment names and message body texts. It spreads through e-mail using its own internal SMTP client, which searches the Windows registry for an SMTP server or uses one from a list contained in the worm itself, according to Sophos.

Yaha can take addresses from the Windows Address Book, MSN Messenger, .NET Messenger Services, Yahoo! Pagers and all files with extensions containing the letters HT, according to Symantec.

The worm terminates anti-virus and other security-related processes, while launching a denial-of-service attack against a Pakistani target server that is hard-coded into the worm, McAfee's description of the worm says.

The original version of Yaha appeared in March, according to MessageLabs Ltd.'s Web site. Different packages containing a J variant went out in December, causing confusion among anti-virus vendors and customers about whether systems were protected, MessageLabs experts contend. Meanwhile, the most virulent strain yet, Yaha K, which was different from the three J versions, was first stopped by MessageLabs on Dec. 21 in Kuwait. MessageLabs stoppage activity involving Yaha K peaked on Monday at more than 8,000, and the company has stopped the worm 37,463 times since Dec. 21.

Those volumes are substantially lower than Klez and Bugbear at their peak. For example, in the last 24 hours, according to the MessageLabs site, the A-V vendor stopped Klez 14,715 times compared to 6,560 times for Yaha K.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • The Case for In-Application Backups

    Application-integrated backup tools should never replace conventional backups, but they have their place.

  • Microsoft Uniting OneDrive and SharePoint Admin Portals Next Month

    Microsoft is converging its OneDrive and SharePoint Admin Center management portals, with a consolidated portal expected to arrive for Microsoft 365 subscribers "through February."

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

comments powered by Disqus