[cut-n-paste from sophos.com]

W32/Yaha-J

Type 
Win32 worm 

Detection
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description

W32/Yaha-J is a worm which spreads via email. The mail sent by the worm
has a variable subject line and attached file name. The attached file 
has an extension of SCR. The message text is:

"> > > >
> > > >
> >
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from www.truefriends.net to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

* To remove yourself from this mailing list, point your browser to:
http://truefriends.net/remove?freescreensaver
* Enter your email address in the field provided and click "Unsubscribe".

OR...

* Reply to this message with the word "REMOVE" in the subject line.

> > > >
> > > >
> >"

When first run the worm will display a message box with the title
"Error" and
the message "Application initialisation error". W32/Yaha-J will then create
copies of itself named winreg.exe, msnmsg32.exe and nav32.exe in the Windows
system folder.

The worm creates the following registry entries so that winreg.exe is 
run when Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winreg
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Winreg

The worm will also add the name and path to nav32.exe to the registry 
entry 

HKCR\exefile\shell\open\command.

W32/Yaha-J will also attempt to terminate processes with the following 
names:

ALERTSVC
AMON.EXE
ANTIVIR
APACHE.EXE
ATRACK
AVCONSOL
AVP.EXE
AVP32
AVPCC.EXE
AVPM.EXE
AVSYNMGR
CFINET
CFINET32
ESAFE.EXE
F-PROT95
FP-WIN
FRW.EXE
F-STOPW
IAMAPP
IAMSERV.EXE
ICMON
IOMON98
LOCKDOWN2000
LOCKDOWNADVANCED
LUALL
LUCOMSERVER
MCAFEE
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
NAVWNT
NISSERV
NISUM
NMAIN
NORTON
NSCHED32
NVC95
PCCIOMON
PCCMAIN
PCCWIN98
PCFWALLICON
POP3TRAP
PVIEW95
RESCUE32
SAFEWEB
SCAN32
SYMPROXYSVC
TDS2-98
TDS2-NT
VETTRAY
VSECOMR
VSHWIN32
VSSTAT
WEBSCANX
WEBTRAP
ZONEALARM




W32/Prestige-A

Type 
Win32 worm 

Detection 
At the time of writing Sophos has received no reports from users 
affected by this worm. However, we have issued this advisory following 
enquiries to our support department from customers.

Description

W32/Prestige-A is a worm that propagates through email attachments sent 
to contacts found from the Windows Address Book.

The emails have the following characteristics:

Subject line: fotos INEDITAS del PRESTIGE en el fondo del Atlantico!
Message text: none
Attached file: PRESTIG.ZIP
Sender: "Fotos_PresTiGe"

Upon execution, the worm displays the following message boxes:
"Desea instalar este PluG-In (sin coste telefonico adicional) y acceder a las
fotos ineditas jamas mostradas en Tv del PresTiGe en el fondo del Oceano
Atlantico?"

and

"La version actual de WININET.DLL impide instalar el PluG-In. 
Atentamente::Grupo 29A"

W32/Prestige-A then drops the following files to the Windows system 
folder:

m_Base64.xrf (a base64 encoded copy of PRESTIG.ZIP)
m_prgm.zip (another copy of PRESTIG.ZIP)
PresTiGe.exe (a copy of the worm)

The worm adds the following registry value, to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\XRF =
"\PresTiGe.exe"

W32/Prestige-A replaces regedit.exe with a copy of itself and preserves 
the original regedit.exe as m_regedit.exe. Whenever regedit.exe (the 
worm copy) is run, the worm removes the registry entry above before 
running the original regedit (m_regedit.exe). When m_regedit.exe is 
closed, the worm adds the above entry back into the registry. This is 
an apparent attempt to avoid disinfection.





Troj/Tubmo-A

Type 
Trojan 

Detection 
Sophos has received several reports of this Trojan from the wild.

Description

Troj/Tubmo-A is a program intended to carry out "active 
reconfiguration" of your web browser in order to encourage you to go 
to specific websites and portals when you use the web.

When running, Troj/Tubmo-A unpacks a second program into your TEMP 
folder and executes it. This subsidiary file is also detected as 
Troj/Tubmo-A.

Troj/Tubmo-A makes a number of changes to your system, including: 
creating weblinks on your desktop; adding bookmarks; removing existing 
web toolbars; changing start and search pages; automatically 
downloading updated versions or additional programs and installing them 
on your computer; sending information from your computer out to a 
remote server; changing the registry so it loads itself silently on 
subsequent reboots; and more. Troj/Tubmo-A chooses random filenames 
when installing its components, so that it cannot be spotted by its 
name alone.

Note, however, that Troj/Tubmo-A asks for consent before installing 
itself, so it is unlikely to get onto a computer entirely by mistake. 
If you find that users on your network are in the habit of installing 
programs of this sort, Sophos suggests that you prohibit this behaviour 
as a part of your formal company policy. This will help to discourage 
the casual installation of unknown and untrusted software on company 
networks.

W32/Tubmo-A Verification Box [picture not shown here]

W32/Tubmo-A Password Check [picture not shown here]



 
--- MultiMail/MS-DOS v0.27