[Snort-users] W32/Yaha-Y Worm

CGhercoias at ...8619... CGhercoias at ...8619...
Thu Dec 18 12:28:05 EST 2003

This worm is quite 'old' --
I believe this is a worm also known as WORM_YAHA.AF, W32/Yaha.y at ...7059...,
W32.Yaha.AF at ...4138... and many other names, which have started to spread in the
wild sometimes in November 2002.

Here is a removal tool --

You can easily write your own signature using the 'specs' on the
Symantec web site. Just use the keywords published there, set the rule
to listen just for traffic on port 25 towards your mail server.

alert tcp $EXTERNAL_NET any -> $HOME_NET 25
( sid: 1000027; rev: 1; msg: "W32/MSBLAST Worm ANY"; content: "|00 01 6D
73 62 6C 61 73 74 2E 65 78 65|"; offset: 0; depth: 2; reference:
T.A; classtype: trojan-activity; priority: 1;)

Open it in a Unix machine(or windows but disconected from network and
with the antivirus shutdown) in hexadecimal mode and copy few
hexadecimal values and paste them in the content space of the rule you
want to create.

Catalin Ghercoias 
WEB/Network Security Administrator 

website: http://www.fye.com 

The content of this communication is classified as Trans World
Entertainment Confidential and Proprietary Information. As such, it is
intended solely for the use of the individual or entity to whom it is
addressed and only others who are authorized to receive it. If you are
not one of those, you are hereby notified that any disclosure, copying,
distribution, or action in reliance on the contents of this information
is strictly prohibited and may be unlawful. If you have received this
communication in error, please notify us immediately by responding to
this communication and then deleting it from your system. 


-----Original Message-----
From: jbendure at ...10207... [mailto:jbendure at ...10207...] 
Sent: Thursday, December 18, 2003 2:46 PM
To: Snort-Users; snort-users-admin at lists.sourceforge.net
Subject: [Snort-users] W32/Yaha-Y Worm

has anyone seen a snort rule posted yet to look for the new W32/Yaha-Y
worm that is in the wild? And is there one to implement if a machine
infected?I need to implement it on all of my snort boxes. ANY help would

Jeff Bendure
Network Consultant
Reliance Technical
jbendure at ...10787...

This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for
Free Linux Tutorials.  Learn everything from the bash shell to sys
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list