[email protected]

Aliases: Win32:Yarner, I-Worm/Yarner, [email protected], W32/Yarner, Win32/Yarner.A
Variants: W32/Yarner, Win32/[email protected], WORM_YARNER.A, W32/YaW-Setup.1, W32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 19 Feb 2002
Damage: High

Characteristics: The W32/[email protected] program is a mass mailing worm that spread itself via sending -mail to addresses that it finds in the MS Outlook address book and in other local files on your system. The worm utilizes the hardcoded SMTP or system configured server to send these messages with Trojaner-Info Newsletter as its subject, followed by the recent date. The content of the message is written in German and the attachment is titled as Yawsetup.exe.

More details about [email protected]

The worm is executed on your system once you open the infected e-mail message particularly the attached file. The worm would then automatically installs itself to your system, runs a spreading process and pay load. While installing the attached file, the worm duplicate itself to your Windows directory with about 100 symbols and a random of executable file names as well as registering these files in the system registry auto run key. The worm then renames the file NOTEPAD.EXE in Windows directory to the same file name but replaces the original file with its code. Therefore, the worm creates additional copy of itself, and will launch again whenever a text file is opened with Notepad. The worm has the ability to send its copies via direct connection to a default SMTP server. It gets victim e-mail addresses in 2 ways: First, it gets access to the Microsoft Outlook address book and gathers all email addresses. Next, the worm scans all .HTM, .PHP, .CGI, .SHTM, and .PL files in all sub-directories on the Windows directory and gathers all emails from there. After sending an infected email, the worm, deletes all files on the drive where Windows is installed.

Additional unwanted files may be added by the W32/[email protected] program to the system. These are reportedly installers for adware, spyware, and Trojan software. The files are executed and added to the registry. They will run in the background and use up computer resources. Pop-up and pop-under advertisements may be displayed whenever an Internet connection is created. Visited web pages, online searches, and clicked links may be recorded. These can be used to generate ads based on the user’s preferences.