Aliases: PE_YAMI.A, Virus.Win32.Niya.a, W32/Niya.3028, W32/Niya.A
Variants: W32/Niya.gen, W32/Yami.A, Win32/Ngvck.AC, Win32/Niya.B, Worm:Win32/Niya.A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 21 May 2005
Damage: High

Characteristics: The W32/Yami.A program is a virus that infects Windows Portable Executable files on Windows XP systems. The virus injects itself into kernel memory and has the ability to monitor file activity. The virus utilizes slack space to infect .exe files, thus infected files will not increase in its size.

More details about W32.Yami.A

Once W32/Yami.A is executed on our system, the virus performs the following actions. First, it verifies that the OS is Windows XP. The virus would not execute on any other OS. Then installs and runs in kernel mode to hook system service and monitor any opened files. It would again perform verification to opened file that has.exe extension, if not it ignores the file. This virus is likely to avoid infecting files that contain the "\system3" string on the file path. It as well ignores files that are smaller than 18 kb or larger than 4 GB. It injects its code in slack space in PE file. It injects the marker 'YM' prior to the PE Header to avoid re-infecting other files.

Because of various bugs in its viral code, it can corrupt the infected file so the intended action fails. W32/Yami.A also checks CMOS memory for particular values to launch its pay load. The pay load consists of replacing a part of the first sixty three sectors of the hard disk with the text 'YM KILL YOU' which makes the disk unbootable and can cause the computer not to start.