Virus Removal Utilities by PC S.O.S.

Yaha Worm (All variants)

The Yaha Worm is a mass mailing worm that arrives in a file attached to an e-mail message. It then sends itself using SMTP to addresses found on the local system (Windows Address Book, MSN and .NET messenger cache folders and HTML files). It jeopardizes the security of the infected PC by emailing out data which can include credit card information and passwords.

In some cases Yaha.k attempts to delete ALL files in the 'My Documents' folder. The YahaRemover will stop this action and restore the files.

The longer Yaha stays active on a PC, the more damage it causes as it infects more and more programs as they are accessed by the user! That's why removing Yaha at early stages is very advisable.

The Yaha worm is also known as:

Symptoms of Yaha infection:

Yaha Blocks the launching of many applications including antivirus programs. A good test to determine whether your PC is infected with Yaha.k is to hit the Ctrl+Alt+Delete keys simultaneously. Under normal conditions, the Task Manager (Close Programs) menu should come up and it should list all running processes. If 'winservices.exe' or 'nav32_loader.exe' or 'tcpsvs32.exe' is listed among the processes, then the PC is definitely infected with Yaha.k. There are cases where Yaha.k will even suppress the Task Manager where pressing Ctrl+Alt+Delete will bring up the Task Manager for a very brief period, only to be shut down by the virus. In other words, the Task Manager may not stay up (flash quickly on the screen then close down).

When run, the virus may display a message box. The message displayed is chosen from the following list:

Ur My Best Friend!!
No Configuration is available Now
Config
madd
U r so cute today #!#!
U r my best friend
True Love never ends
I like U very much!!!
U r My Best Friend
U r My Valentine
Changes the start page of Internet Explorer to one of the following:
http://www.unixhideout.com
http://www.hirosh.tk
http://www.neworder.box.sk
http://www.blacksun.box.sk
http://www.coderz.net
http://www.hackers.com/html/neohaven.html
http://www.ankitfadia.com
http://www.hrvg.tk
http://www.hackersclub.up.to

Yaha worm unloads the following 3 files (listed below) into the System Directory and loads them into memory, which allows the virus to block many executable programs from being launched, including many antivirus and firewall programs. This is usually an error message to the effect that 'WinServices.exe is not found', or 'cannot find Nav32_Loader.exe' or 'TCPSVS32.exe cannot be found' or 'Windows cannot find rundll32.exe' or 'Windows cannot find ... exe'

NAV32_LOADER.EXE
TCPSVS32.EXE
WINSERVICES.EXE

.. and a fourth file called aYerHS.txt on the Desktop

... other general virus infection symptoms here.

Messages carrying Yaha may contain any of the following in their 'Subject' field:

Are you the BEST
Free Win32 API source
Learn SQL 4 Free
I Love You..
Wanna be like a stone ?
Are you a Soccer Fan ?
Sexy Screensavers 4 U
Check it out
Sample Playboy
Hardcore Screensavers 4 U
XXX Screensavers 4 U
We want peace
Wanna be a HE-MAN
Visit us
One Virus Writer's Story
One Hacker's Love
World Tour
Whats up
Wanna be my sweetheart ??
Screensavers from Club Jenna
Jenna 4 U
Free rAVs Screensavers
Feel the fragrance of Love
Wanna Hack ??
Sample KOF 2002
The King of KOF
Wanna Brawl ??
Wanna Rumble ??
Play KOF 2002 4 Free
Demo KOF 2002
Free Demo Game
Wanna be friends ??
Need money ??
Are you beautiful
Who is your Valentine
Free Screenavers of Love
Free XXX
Free Screensavers
WWE Screensavers
Freak Out
Wanna be friends ?
Things to note
Lovers Corner
Patch for Elkern.gen
Patch for Klez.H
Free Screensavers 4 U
Project
Sample Screensavers
Are you in Love
I am in Love
I Love You
You are so sweet
The Hotmail Hack
U realy Want this
to ur lovers
to ur friends
Find a good friend
Learn How To Love
Are you looking for Love
Wowwwwwwwwwww check it
Check ur friends Circle
The world of Friendship
Shake it baby
How sweet this Screen saver
war Againest Loneliness
Need a friend?
Say 'I Like You' To ur friend
love speaks from the heart
Let's Dance and forget pains
Looking for Friendship
True Love
make ur friend happy
Who is ur Best Friend
hey check it yaar
Check this shit
Hello
Hi

Yaha.k is also known as W32/Yaha.k, W32/Yaha.m, I-Worm.Lentin.i, Lentin Worm, Win32/Yaha.K@mm, Win32/Yaha.M@mm, W32/Yaha-K, W32/Yaha-M, Win32.Yaha.K, Win32.Yaha.M, W32/Yaha.M-mm

Older variants that are also covered by PC S.O.S. Removers are: Yaha are Yaha.b, Yaha.b, Yaha.d, Yaha.e, Yaha.f, Yaha.g, Yaha.h, & Yaha.i. See this note about virus naming prefixes and suffixes (for example W32/Yaha.g@mm, where W32 is a prefix, @mm is a suffix).

Download the YahaRemover utility here.

>>> Back to Antivirus Main Page

BREAKDOWN S.O.S. HOTLINE

Tel.: + 44 (0)207 720 8550 ; + 44 (0)7961 980 184 ; + 44 (0)7888 638 033