, I-Worm/Yanz.B, [email protected]
, W32/Yanz.B.worm, NewHeur_PE
Win32.HLLM.SunYanzi.2, W32/Favsin-A, Win32/[email protected]
, WORM_YANZ.B, Worm/Yanz.B.3
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
23 Nov 2004
The W32/[email protected]
program is a mass mailing worm that utilizes its SMTP engine to spread itself by e-mail messages to addresses that it retrieves from the compromised computer. This worm affects windows platform such as Windows 95, Windows 2000, Windows Me, Windows 98, Windows Server 2003, Windows NT, and Windows XP
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
is written in the Microsoft Visual C++ programming language. Once the worm is executed; it displays a message box with WINDOWS PANIC as its title and a message saying “No Windows.” “Yes doors and holes”. The worm will then copy itself as %System%\NvCpl.EXE and %System%\Dong_Shi.exe to the system folder. It also creates other files to the Windows installation folder and when these processes are completed, the file sun.exe will run and creates “three .jpg” files under Temp folder. The particular file names have "SuN" as its prefix. It will then add value to the registry key in order for the worm to run every time the windows start. Creates a mutex "Stefanie Sun Yanzi", which allows only one instance of the worm to run.
Users may receive this application when it is bundled with other programs. These can be freeware and shareware software downloaded from unreliable websites. The program may also be included in files spread via peer-to-peer (P2P) file sharing networks. The [email protected]
software can also be sent to the user in an e-mail or instant message. The content and subject line may label the file as a harmless file or a necessary program update. The malware program can also be installed in the system by other applications. The application places a number of files in the system. Registry changes are also made so it can run at system startup.