McAfee for Small Businesses

・W32/Yaha.p@MMは、電子メールとネットワーク共有で繁殖します。このワームは内蔵されたSMTPエンジンを使用して、電子メールメッセージを作成します。特定のプロセス（ウイルス対策、セキュリティ関連）が実行中の場合は終了させます。リモートマシン（ターゲットマシンはワームにハードコード化されています）に対してサービス拒否攻撃を仕掛けるコードを含んでいます。

ネットワークを介した繁殖

・W32/Yaha.p@MMはリモートの共有にある特定のフォルダ（ワームにハードコード化されています）のWIN.INIファイルを検索します（テストでは、マップ済みのネットワークドライブのみを検索しました）。WIN.INIファイルが存在する場合は、ワームはそのフォルダにREG32.EXEというファイル名で自身をコピーし、WIN.INIファイルに次のフックを追加します。

• [windows]
  run=REG32.EXE

・以下のフォルダを検索します。

• \WINDOWS\WIN.INI
• \WIN98\WIN.INI
• \WIN95\WIN.INI
• \WINNT\WIN.INI
• \WIN\WIN.INI
• \WINME\WIN.INI
• \WINXP\WIN.INI

・また、リモートネットワークドライブの以下のフォルダも検索します（テストでは、マップ済みのドライブのみを検索しました）。

・WIN.INIファイルが上記のフォルダに存在する場合は、ワームはMSREGSCANNER.EXEというファイル名で自身のコピーを作成します。

大量メール送信

・W32/Yaha.p@MMは、さまざまな件名、ファイル名、本文の電子メールメッセージで届きます。これらの件名、ファイル名、本文は、ワームの本体に内蔵されています。ワームのコードをみると、これまでに発見されたW32/Yahaの亜種と同様に送信者アドレスを偽造するようです。送信者の電子メールアドレスには以下のアドレスを使用します。

• admin@clubjenna.com
• admin@codeproject2.com
• admin@hackers2.com
• admin@hackersclub2.com
• admin@kofonline2.com
• admin@zpornstars.com
• av_patch@mcafee.com
• av_patch@norton.com
• av_patch@trendmicro.com
• btq@2632.com
• caijob@online.sh.cn
• cathy@21cn.com
• cupid@freescreensavers.com
• DNA_seraph@163.com
• ericpan@online.com.pk
• free@hardcorescreensavers.com
• free@sexyscreensavers.com
• free@sql.library.com
• free@xxxscreensavers.com
• hamada@seikosangyo.com
• jenna@jennajameson.com
• kkn@k2k.comscreensavers@nomadic.com
• kl@aminoprojects.com
• love@lovescreensavers.com
• loverscreensavers@love.com
• lubing@7135.com
• luoairong@21cn.com
• marketing@suppersoccer.com
• me@me2K.com
• newsletters@britneyspears.org
• nics@noma.com
• paul@kqscore2.com
• plus@real.com
• ravs@go2pussy.com
• romanticscreensavers@love.com
• sales@playboy.com
• sales@real.com
• samsun@online.sh.cn
• screensavers@lovers.com
• services@tcsonline2.com
• stone@esterplaza.com
• super@21cn.com
• therock@wwe.com
• valentinescreensavers@t2k.com
• yjworks@online.sh.cn
• zdenka@zpornstars.com
• zhouyuye@citiz.net

・以下の件名、添付ファイル名、本文を使用します。

件名

• Are you a Soccer Fan ?
• Are you beautiful
• Are you in Love
• Are you looking for Love
• Are you the BEST
• Check it out
• Check this shit
• Check ur friends Circle
• Demo KOF 2002
• Feel the fragrance of Love
• Find a good friend
• Freak Out
• Free Demo Game
• Free Screenavers of Love
• Free Screensavers 4 U
• Free Screensavers
• Free Win32 API source
• Free XXX
• Free rAVs Screensavers
• Hardcore Screensavers 4 U
• Hip Shake it baby
• Hip
• How sweet this Screen saver
• I Love You..
• I Love You
• I am in Love
• Jenna 4 U
• Learn How To Love
• Learn SQL 4 Free
• Let's Dance and forget pains
• Looking for Friends
• Lovers Corner
• Need a friend?
• Need money ??
• One Hacker's Love
• One Virus Writer's Story
• Patch for Elkern.gen
• Patch for Klez.H
• Play KOF 2002 4 Free
• Project Sample Screensavers
• Sample KOF 2002
• Sample Playboy
• Say 'I Like You' To ur friend
• Screensavers from Club Jenna
• Sexy Screensavers 4 U
• The Hotmail Hack
• The King of KOF Wanna Brawl ??
• The world of Friends
• Things to note
• True Love
• U realy Want this
• Visit us
• WWE Screensavers
• Wanna Hack ??
• Wanna Rumble ??
• Wanna be a HE-MAN
• Wanna be friends ?
• Wanna be friends ??
• Wanna be like a stone ?
• Wanna be my sweetheart ??
• We want peace
• Who is ur Best Friend
• Who is your Valentine
• World Tour Whats up
• Wowwwwwwwwwww check it
• XXX Screensavers 4 U
• You are so sweet
• hey check it yaar
• love speaks from the heart
• make ur friend happy
• to ur friends
• to ur lovers
• war Againest Loneliness

添付ファイル名：

• Beautifull.scr
• Body_Building.scr
• Britney_Sample.scr
• Codeproject.scr
• Cupid.scr
• FixElkern.com
• FixKlez.com
• FreakOut.exe
• Free_Love_Screensavers.scr
• Hacker.scr
• Hacker_The_LoveStory.scr
• Hardcore4Free.scr
• I_Love_You.scr
• Jenna_Jemson.scr
• KOF.exe
• KOF2002.exe
• KOF_Demo.exe
• KOF_Fighting.exe
• KOF_Sample.exe
• KOF_The_Game.exe
• King_of_Figthers.exe
• Love.scr
• MyPic.scr
• MyProfile.scr
• My_Sexy_Pic.scr
• Notes.exe
• Peace.scr
• Playboy.scr
• Plus2.scr
• Plus6.scr
• Project.exe
• Ravs.scr
• Real.scr
• Romantic.scr
• Romeo_Juliet.scr
• SQL_4_Free.scr
• Screensavers.scr
• Services.scr
• Sex.scr
• Sexy_Jenna.scr
• Soccer.scr
• Stone.scr
• Sweetheart.scr
• THEROCK.scr
• The_Best.scr
• VXer_The_LoveStory.scr
• Valentines_Day.scr
• Ways_To_Earn_Money.exe
• World_Tour.scr
• up_life.scr
• xxx4Free.scr
• zDenka.scr
• zXXX_BROWSER.exe

本文：
hey, <br>did u always dreamnt of hacking ur friends hotmail account.. <br>finally i got a hotmail hack from the internet that really works.. <br>ur my best friend thats why sending to u.. <br>check it..just run it..enter victim's address and u will get the pass. hi, <br>check the attached love screensaver <br>and feel the fragrance of true love.. Hi, <br>check the attached screensaver.. <br>its really wonderfool.. <br>i got it from freescreensavers.com Hi, <br>check ur friends circle using the attached friendship screensaver.. <br>check the attached screensaver <br>and if u like it send it to all those you consider <br> to be true friends... if it comes back to you then <br> you will know that you have a circle of friends..

Hi, <br>check the attached screensaver <br>and enjoy the world of friendship..

Hi, <br>are u in a rocking mood... <br>check the attached scrennsaver and start shaking..

Hi, <br>Check the attached screensaver..

Hi, <br>Are you lonely ??.. <br>check the attached screensaver and <br>forget the pain of loneliness

Hi, <br>Looking for online pals.. <br>check the attached friend finder software..

Hi, <br>sending you a screensaver.. <br>check it and let me know how it is...

Hi, <br>Check the attached screensaver <br>and feel the fragrance of true love...

Hey, <br>I just got this wonderfull screensaver from freescreensaver.com.. <br>Just check it out and let me know how it is..

Hi, <br>I just came across it.. check out.. <br> <br>===================================================================== <br>Are you one of those unfortunate human beings who are desperately <br>looking for friends.. but still not getting true friends with whom <br>you can share your everything.. <br> <br>anyway you wont feel down any more cause GC Chat Network has brought <br>up a global chat and online match making system using its own GC <br>Messenger. Attached is the fully functional free version of GC <br>Instant Messenger and Match Making client.. <br>Just install, register an account with us and find thousands of online <br>pals all over the world.. <br>You can also search for friends by specific country,city,region etc. <br> <br>Regards Admin, <br>GC Global Chat Network System..

Hi, <br>So you think you are in love.. <br>is it true love ? you may think right now that you are in <br>true love but it is certainly possible that it is nothing <br>but a mere infatuation to you.. <br> <br>anyway to know yourself better than you have ever known check <br>the attached screensaver and feel the fragrance of true love..

Hey pal, <br>you know friendship is like a business... <br>to get something you need to give something.. <br>though its not that harsh as business but to <br>get love and care from your friends you need to give <br>love,care and respect to your friends.. right? <br> <br>check the attached screensaver and you will learn how to <br>make your friends happy..

Hi, <br>Its quite obvious that in our life we have numerous friends <br>but.. BUT Best Friend can only be ONE.. right ?? <br>so can you decide who is your best friend ?? <br>i guess not.. cause mostly you will find that your best friend <br>wont care about u like somebody else.. <br> <br>anyway i found one way to find who is my best friend.. <br>check it.. <br>just check the attached screensaver.. answer some questions <br>in it and also ask your best friend to answer the questions.. <br> <br>..then you will know more about Him.. <br>

Hey pal, <br>wanna have some fun in life... <br>feel like life is too boring and monotonous.. <br>check the attached screensaver and bring colours <br>to your black & white life.. :)

Hi, <br>I just came across this funny screensaver.. <br>sending it to u.. hope u like it.. <br>check out and die laughing.. :)

Hi <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>> <br> <br>This E-Mail is never sent unsolicited. If you receive this <br>E-Mail then it is because you have subscribed to the official <br>newsletter at the KOF ONLINE website. <br> <br>King Of Fighters is one of the greatest action game ever made. <br>Now after the mind boggling sucess of KOF 2001 SNK proudly <br>presents to you KOF 2002 with 4 new charecters. <br> <br>Even though we need no publicity for our product but this <br>time we have decided to give away a fully functional trial <br>version of KOF 2002. So check out the attached trial version <br>of KOF 2002 and register at our official website to get a free <br>copy of KOF2002 original version <br> <br>Best Regards, <br>Admin,KOF ONLINE.. <br> <br><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>

Hello, <br>I just came across your email ID while searching in the Yahoo profiles. <br>Actually I want a true friend 4 life with whom I can share my everything. <br>So if you are interested in being my friend 4 life then mail me. <br> <br>If you wanna know about me, attached is my profile along with some of my <br>pics. You can check and if you like it then do mail me. <br>I will be waiting for your mail. <br> <br>Best Wishes, <br>Your Friend..

Hello, <br>Looking for some Hardcore mind boggling action ? <br>Install the attached browser software and browse <br>across millions of paid hardcore sex sites for free. <br>Using the software you can safely and easily browse <br>across most of the hardcore XXX paid sites across the <br>internet for free. Using it you can also clean all <br>traces of your web browsing from your computer. <br> <br>Note:The attached browser software is made exclusivley <br>for demo only. You can use the software for a limited <br>time of 35 days after which you have to register it <br>at our official website for its furthur use. <br> <br>Regards, <br>Admin.

Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. <br>Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. <br>We developed this free immunity tool to defeat the malicious virus. <br>You only need to run this tool once,and then Klez will never come into your PC

Hello, <br>The attached product is send as a part of our official campaign <br>for the popularity of our product. <br>You have been chosen to try a free fully functional sample of our <br>product.If you are satified then you can send it to your friends. <br>All you have to do is to install the software and register an account <br>with us using the links provided in the software. Then send this software <br>to your friends using your account ID and for each person who registers <br>with us through your account, we will pay you $1.5.Once your account reaches <br>the limit of $50, your payment will be send to your registration address by <br>check or draft. <br> <br>Please note that the registration process is completely free which means <br>by participating in this program you will only gain without loosing anything. <br> <br>Best Regards, <br>Admin,

・ワームの文字列をみると、（パッチを適用していないシステムで）電子メールメッセージをプレビュー表示すると自身を実行するようにInternet Explorerの2つの脆弱性（IFRAMEおよび不適切なMIMEヘッダの脆弱性）を含んだ送信メッセージとなっています。これらの脆弱性に関する詳細情報とパッチについてはMicrosoft Security Bulletin (MS01-020)をご覧ください。