Security threats Toolkit

Antivirus virus on the loose

Tags:
Security Warning,
Yaha Virus,
Symantec,
Antivirus

James Pearce ZDNet Australia

Published: 20 Jan 2003 10:23 GMT

The appearance and spread of viruses throughout the tech-enabled world is rapidly becoming par for the course for home and corporate users.

However, occasionally, a virus contains a more interesting wrinkle than being named after a tennis player or teen-punk idol. For example, tech security companies are warning of a new virus designed to attack a version of the already-existing Yaha virus. Trouble is, the new virus may also crash your computer.

The W32.Sahay.A@mm virus arrives as an attachment called "mathmagic.scr", with the subject "Fw: Sit back and be surprised..." It attempts to attach itself to all the .exe file in the Windows and C:\Program Files\Mirc\download folders, but due to bugs in the software may crash the computer or corrupt files in these folders.

The Sahay virus also checks the computer for characteristics of the W32.Yaha family of worms, and if any are found attempts to remove them and then displays this message:

Title: Exchange viruses?
Message: Hi there.. it seems you were infected with Yaha.k. That worm however, written by an idiot who sPeLlS lIkE tHiS,abused my website and got me toreceive the complaints. Therefore, I have just disinfected you.Don't worry tho.. as I didn't wanna steal from you, I gave you this virus (Win32.HLLP.YahaSux) in return :)

Greetz, Gigabyte [Metaphase VX Team]

The worm then sends itself to all contacts in Outlook's Address book and restarts the computer.

Clive Wainstein, pre-sales engineer at Trend Micro, told ZDNet Australia that in five years working in the antivirus field he had never seen a virus attempt to delete another one.

"The hacker community on the whole is a very competitive, small-knit community," said Wainstein. "It doesn't surprise me that [the Sahay writer] has done this, he's trying to promote his handiwork."

According to David Banes, regional manager for security company Symantec, Sahay is not the first virus designed to attack another virus, but it is the first one for quite a while. It is more usual to receive a hoax email claiming an existing, necessary file is a virus, such as the Jdbgmgr.exe hoax, which claims a file is a virus when it is really a debugger register for Java. Symantec has posted information about removing the virus on its Web site.

"The idea of a virus that removes a virus has been tossed around for a while, but antivirus companies tend to frown on it," said Banes. "Either way you're running code on someone else's machine without them knowing about it."

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.