RMYAHA ------ Version 1.03, December 2002 Copyright (c) 2002 Sophos Plc. www.sophos.com 1. Introduction 2. Preparing to run RMYAHA 3. Make the RMYAHA floppy disk 4. Run RMYAHA 5. Remove infected files 6. After running RMYAHA a) Checking the Win.ini file for any pointers to the worm b) Deleting the Kitkat file c) System Restore on Windows Me d) System Restore on Windows XP e) Rebooting the computer f) Running a scan to check disinfection g) Restoring your Sophos Anti-Virus settings h) Installing the security patch 7. Additional RMYAHA options 8. How to avoid infection in the future 9. For further assistance 1. Introduction --------------- RMYAHA is a utility designed to help disinfect computers infected with W32/Yaha-E, W32/Yaha-K and W32/Yaha-L. It attempts to terminate any processes and reset any registry keys that have been changed by the worm. The W32/Yaha family are Windows 32 worms which spread via email and network shares. They can infect Windows 95/98/Me as well as Windows NT/2000/XP. Further information about these worms is available from: http://www.sophos.com/virusinfo/analyses/w32yahae.html http://www.sophos.com/virusinfo/analyses/w32yahak.html http://www.sophos.com/virusinfo/analyses/w32yahal.html It is not necessary for a user to double-click on the attachment to become infected as these worms can exploit a security vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express. Read through these notes before starting to disinfect your computer(s). 2. Preparing to run RMYAHA -------------------------- If you are using Sophos Anti-Virus version 3.65, or earlier, you will need the latest IDEs to detect W32/Yaha-K and W32/Yaha-L. These are available from: http://www.sophos.com/downloads/ide If you have not already got a copy, you will also need Sophos Anti-Virus. Sophos Anti-Virus is available from: http://www.sophos.com/downloads/products/ Download the version for your platform. It is recommended that you disconnect infected computers from the network before proceeding. This is not vital to the disinfection process, but it will stop the worm spreading further. 3. Make the RMYAHA floppy disk ------------------------------ On an uninfected computer, download RMYAHSFX.EXE from http://www.sophos.com/tools/rmyahsfx.exe Run RMYAHSFX.EXE to extract RMYAHA.EXE, PSAPI.DLL and these notes. They will extract to the directory C:\SOPHTEMP under Windows (or to the current directory under DOS). Copy these files onto the floppy disk. Write-protect the floppy disk. 4. Run RMYAHA ------------- On the infected computer, insert the floppy disk containing the RMYAHA utility and copy the files into a temporary directory on the local hard disk. In the following example drive C: is used. Open a Command Prompt (on Windows NT/2000/XP) or an MS-DOS Prompt (on Windows 95/98/Me). Type C: CD \ MD SOPHTEMP CD SOPHTEMP COPY A:\*.* C:\SOPHTEMP Now run the RMYAHA utility. Type RMYAHA RMYAHA should terminate all the worm processes and change the affected registry keys. If a message says that the worm processes have not all been terminated, or that RMYAHA.EXE cannot be found, contact Sophos technical support. 5. Remove infected files ------------------------ If necessary, install Sophos Anti-Virus. Copy the W32/Yaha IDEs to the C:\Program Files\Sophos SWEEP (or Sophos SWEEP for NT) folder on each computer and reboot (on Windows NT/2000/XP you can stop and restart the Sophos services). Alternatively, copy it to the central installation folders and run an update. See: http://www.sophos.com/support/faqs/usingides.html. Go to Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus (on Windows NT/2000/XP) or Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus SWEEP (on Windows 95/98/Me) to launch the Sophos Anti-Virus window. Click on the 'Immediate' tab then choose Options|Configuration|Action. Select 'Infected files' then select 'Delete'. Click 'OK' to return to the main window. Check that your local hard drives are selected (look for the green light). Click 'GO' to start the scan. If prompted to delete a file infected with W32/Yaha, make a note of the name of the file, then click 'Yes'. If any virus other than W32/Yaha is detected, contact Sophos technical support for advice. 6. After running RMYAHA ----------------------- After running RMYAHA perform the following actions: a) Checking the Win.ini file for any pointers to W32/Yaha-E Go to Start|Run and type Sysedit. Bring Win.ini to the front and look for the line starting with 'Run'. If this points to any of the files detected by Sophos Anti-Virus as being infected with W32/Yaha-E, delete the file name and path, for example: Run=C:\Winnt\System32\MSTASK.EXE Delete 'C:\Winnt\System32\MSTASK.EXE' leaving: Run= b) Deleting the Kitkat file Right-click Start and select Explore. Browse to C:\\temp and delete the file 'Kitkat'. will be one of: Windows, Win98, Win95, Winnt, Win, WinMe, WinXP). c) System Restore on Windows Me Note: this will delete any previously created restore points. Go to Start|Settings|Control Panel. Double-click 'System', then click on the 'Performance' tab. Click 'File System' then click the 'Troubleshooting' tab. Select 'Disable System Restore' and click 'Apply'. Now deselect 'Disable System Restore' and click 'Apply'. Click 'Close' and click 'Close' again. Restart the computer. d) System Restore on Windows XP Note: this will delete any previously created restore points. Go to Start|Control Panel|Performance and Maintenance. Double-click System, then select the System Restore tab. Click to select the 'Turn off System Restore on all drives' box. Click Apply. Click Yes. Now click to clear the 'Turn off System Restore on all drives' box. Click OK. Restart the computer. e) Rebooting the computer Shut down your computer and restart it. Double-click on the InterCheck monitor red flash and check that its status is marked as 'Active'. f) Running a scan to check disinfection Now run anther scan to check that all copies of the worm have gone. Go to Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus (on Windows NT/2000/XP) or Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus SWEEP (on Windows 95/98/Me) to launch the Sophos Anti-Virus window. Click 'GO' to start the scan. If copies of the worm remain, rename RMYAHA.EXE to RMYAHA.COM and repeat sections 4, 5 and 6. If problems persist contact Sophos technical support. g) Restoring your Sophos Anti-Virus settings Go to Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus (on Windows NT/2000/XP) or Start|Programs|Sophos Anti-Virus|Sophos Anti-Virus SWEEP (on Windows 95/98/Me) to launch the Sophos Anti-Virus window. Click on the 'Immediate' tab then choose Options|Configuration|Action. Deselect 'Delete', then deselect 'Infected files'. Click 'OK' to return to the main window. h) Installing the security patch These worms can exploit a security vulnerability in Microsoft Internet Explorer, Outlook and Outlook Express. To prevent reinfection, you should install the following patch available from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp (This patch fixes a number of vulnerabilities in Microsoft's software, including the one exploited by this worm.) 7. Additional RMYAHA options ---------------------------- If you want to produce a report recording actions taken by RMYAHA, add -LF= filename to write a log file. For example: RMYAHA -LF=SAV.LOG If you want more detailed information in the log, add the -V (verbose) qualifier when executing the program. For example: RMYAHA -LF=SAV.LOG -V If you do not want more detailed information in the disinfection log, add the -NV (not verbose) qualifier when executing the program. (This is the default option). If you want to disable drive sharing, add the -S (sharing) qualifier when executing the program. For example: RMYAHA -S 8. How to avoid infection in the future --------------------------------------- a) Keep up-to-date Update your corporate anti-virus so that you can detect and prevent the future viruses, Trojans and worms. If you do not have procedures for rapid updates, implement them now, because you are sure to need them again. Sophos Enterprise Manager is one way to help automate protection updates inside your company. Further information on Enterprise Manager is available from: http://www.sophos.com/products/software/emanager/ b) Block Windows programs If possible, block all Windows programs at your email gateway. It is rarely necessary to allow users to receive programs via email. There is so little to lose, and so much to gain, simply by blocking all mailed-in programs, regardless of whether they contain viruses or not. Sophos MailMonitor for SMTP contains pro-active threat reduction technology which can help you block dangerous filetypes and executable code at the email gateway. Further information on MailMonitor for SMTP is available from: http://www.sophos.com/products/software/mailmonitor/mmsmtp.html c) Microsoft security patches Keep up-to-date with the latest Microsoft security patches by subscribing to the Microsoft security bulletin at http://www.microsoft.com/security or by visiting Windows Update at http://www.windowsupdate.com/ 9. For further assistance ------------------------- For further assistance, please contact Sophos technical support (support@sophos.com). 3 January 2003 ----------------