Another variant of the Yaha worm has been spotted in the wild – Yaha-Q. A twist in the tail of this latest worm is that it drops a ‘logic bomb’ on a Wednesday. On this day, W32/Yaha-Q will carry out four operations: change the IE homepage to point at www.indiansnakes.cjb.net, append a link to the same Web site in various HTML files, attempt to spread to network shares and create a randomly named text file in the Windows directory. This file will contain one of a number of garbled, anti-Pakistani messages. The worm is hard to spot as it can have a very large selection of subject lines and body copy. The sender listed in ‘From’ field is no guide, either, as the email may also be spoofed, i.e. it is not necessarily from the specified sender. Sophos reports that W32/Yaha-Q copies itself to the files exeloader.exe and mstask32.exe in the Windows system folder. Graham Cluley, Senior Technology Consultant at Sophos, told us that Yaha and its various manifestations were the creation of a group of Indian hackers. The juvenile agenda of this group apparently includes an anti-Pakistan sentiment, with Pakistani hackers being a particular target. Full Story
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.