Yaha Worm Wreaks Confusion

The Yaha worm, discovered last week in the Middle East, is causing confusion among both security vendors and users.

A lack of consensus on the way that new viruses are named led to confusion among anti-virus companies this week and may have resulted in some users being unsure whether they were protected against the latest variant of the Yaha worm.

Anti-virus vendors began seeing a new minor variant of the Yaha mass-mailing worm shortly before Christmas. The first copies seemed to be coming from Middle Eastern countries, including Kuwait. AV vendors were quick to recognize the worms characteristics and identify it as a version of Yaha, a worm that had first appeared around Valentines Day last year. But thats where the agreement ended and the confusion began.

Some vendors named the worm Yaha.J, while others tabbed it Yaha.K and still others had it as Yaha.L. For a day or two, it looked as if the vendors had abandoned their conventional naming scheme and gone off the tracks.

Viruses are named according to a system developed by CARO (Computer Antivirus Research Organization), which dictates the form and precise syntax of the names. For example, W32/Yaha@MM is the full name of the original Yaha worm. W32 denotes the Windows 32-bit platform; Yaha is the name (usually provided by the author somewhere in the source code); and MM identifies it as a mass-mailer.

It turns out, however, that in this case the vendors were seeing three different versions of the new Yaha variant, which is now being called Yaha.J. Each new version was packed—or compressed—differently, leading to confusion among both the vendors themselves and users.

"However, when the anti-virus vendors brought their initial virus signatures out for Yaha.J, not all products were able to detect all three variants. Some could detect one, others two; and a few, all three," said an explanation of the problem on the Web site of MessageLabs Ltd., a British MSP that tracks viruses. "This causes problems for end users, who check their vendor website to make sure they are protected against Yaha.J, but find it sailing through their defenses.

"When the author first released Yaha.J, there were at least three versions released, all packed slightly differently. It was apparent to our research team that these were probably new Yaha variants. However, it is technically time-consuming to prove that these all originated from the same unpacked source, and since time is of the essence when new malware is discovered, we therefore assigned them the next three available variant letters, J, K and L. Later on, it became highly likely that these all originated from the same unpacked source, and therefore we fell in line with the other anti-virus vendors, and renamed these all to Yaha.J."