Salam alaikum people !
I wanted to share my encounter with yaha, The virus, with all of you but I was just too busy. OK .... so lets start.
All this happened when I was working temporarily for a company. I did secretarial work for the Quality Assurance Manager and give them a visit every six months or so when their Audit is due. Basically what I do is to make sure that all the six departments within the company comply with the ISO 9001 Standard. This time (18-01-03) that I went there ... I noticed that the PC that I use in the office was considerably slow, and I faced frequent hang-ups. The PC I was using was a P4 1.7Ghz with a 40 GB HDD and 256 MB RAM operating on Win98 FIRST EDITION (Yeh I know ... First Edition sucks).
Anywayz ... getting back to the point ... Being a 'wannabe Techie' I felt curious why the computer was soo slow ... I checked the task Manager and saw a big list of programs running in the background. Most of these programs were all useless and had wierd but logical names. Why logical, I will explain later in this post.
So I started my investigations. (ok now, I know that this was not part of my job so I only did this when I did not have work and the good thing is that my boss, cool headed dude aged 32 or so, understands my love for computers and hunger for tech talk so he does not mind me doing all this). My investigation, as I was saying ... The programs that were running in the background were Dresth, Winservices, Tcpsrv32 and more that I don't remember at the moment. So I started off with the Norton Antivirus CD, the bootable one. NAV would not work in Windows cause the virus had disabled it. I got the NAV CD from one of the employees and booted the computer with it. As soon as I booted from the NAV CD, a virus was found .. and another and another ... it kept going on. It had found a virus called W32.Funlove.4099 something. I thought that it would take about an hour or so but it kpet going on and on. I showed this to my boss and he was simply amazed to learn that the PC had a virus. The scanning process went on and on and I had to wait till it got over ... but I didn't finish that day. The scanning process started at around 11:30 and went on till 5:00 in the evening. I had to leave for the day and wait till the next day. When I came back to the office the next day everything had settled down. I restarted the computer and still found the program winservices and tcpsrv32 running. Now .. at first I thought that this was a legitimate process running under windows (because of its name) but then I had never heard of, or seen such a process when I had Win98.
Hence I searched for it on the Internet and to my amazement I found that this was a virus. A search on the net revealed to me that the name of the virus was Yaha and runs under windows under two names Winservices and Tcpsv32. The quest was to find a program to clean the cuprits.
I was lucky to find a program to clean the Yaha virus and its variants. The program that I found was developed by the Computer Emergency Response Team (CERT) and was called 'Stinger'. I reached home the same day and download the program from home as I did not want to use the Office computer. Now, I was even more curious. I desperately waited for the moment to use the program and see how it works, how it cleaned the virus. Finally I reached the office the next morning and got to use Stinger. It was pretty small, small enough to fit into a floppy and that's how I got it to the office. Khair ... I copied the program and it started cleaning the virus. I finally got rid of those culprits (I think) and the PC was abit faster now.
I also found another mysterious program 'MSREXE.exe' that was running in the background. I searched the HDD for the program and found it in the Windows directory. It was definitely one of those program under which yaha was running so I searched the new for this one as well. I found a site which stated the procedure to clean this program (a virus actually) It was a manual procedure which was as follows:
I had to locate the system.ini file and lok for the line which said "run shell = explorer.exe". This was the second line in the file.
I had to delete the line after 'explorer.exe' which was actually the name of the virus.
The line actually said - run shell=explorer.exe, MSREXE.exe
Now, when I previously tried to delete this program I got a message that said that this program is being used by windows and cannot be deleted. Now I knew why it said so because MSREXE was executed as soon as windows started. Therefore the program could not be deleted.
I had to follow the same procedure for the 'Win.ini' file and I deleted the line which executed this program.
This was one really exciting moment for me cause I had never know that viruses list themselves in such way ... in the system.ini and win.ini file. It was something new for me.\ and so was my encounter with W32.FunLove.4099 and Yaha. One amazing experience for me. I hope you've learned 'something' if not 'alot' from this post of mine.
Thank you for your patience ...
Allah-hafiz
P.S: The blame for frequent hang-ups could also be put on Win98 First Edition.
I wanted to share my encounter with yaha, The virus, with all of you but I was just too busy. OK .... so lets start.
All this happened when I was working temporarily for a company. I did secretarial work for the Quality Assurance Manager and give them a visit every six months or so when their Audit is due. Basically what I do is to make sure that all the six departments within the company comply with the ISO 9001 Standard. This time (18-01-03) that I went there ... I noticed that the PC that I use in the office was considerably slow, and I faced frequent hang-ups. The PC I was using was a P4 1.7Ghz with a 40 GB HDD and 256 MB RAM operating on Win98 FIRST EDITION (Yeh I know ... First Edition sucks).
Anywayz ... getting back to the point ... Being a 'wannabe Techie' I felt curious why the computer was soo slow ... I checked the task Manager and saw a big list of programs running in the background. Most of these programs were all useless and had wierd but logical names. Why logical, I will explain later in this post.
So I started my investigations. (ok now, I know that this was not part of my job so I only did this when I did not have work and the good thing is that my boss, cool headed dude aged 32 or so, understands my love for computers and hunger for tech talk so he does not mind me doing all this). My investigation, as I was saying ... The programs that were running in the background were Dresth, Winservices, Tcpsrv32 and more that I don't remember at the moment. So I started off with the Norton Antivirus CD, the bootable one. NAV would not work in Windows cause the virus had disabled it. I got the NAV CD from one of the employees and booted the computer with it. As soon as I booted from the NAV CD, a virus was found .. and another and another ... it kept going on. It had found a virus called W32.Funlove.4099 something. I thought that it would take about an hour or so but it kpet going on and on. I showed this to my boss and he was simply amazed to learn that the PC had a virus. The scanning process went on and on and I had to wait till it got over ... but I didn't finish that day. The scanning process started at around 11:30 and went on till 5:00 in the evening. I had to leave for the day and wait till the next day. When I came back to the office the next day everything had settled down. I restarted the computer and still found the program winservices and tcpsrv32 running. Now .. at first I thought that this was a legitimate process running under windows (because of its name) but then I had never heard of, or seen such a process when I had Win98.
Hence I searched for it on the Internet and to my amazement I found that this was a virus. A search on the net revealed to me that the name of the virus was Yaha and runs under windows under two names Winservices and Tcpsv32. The quest was to find a program to clean the cuprits.
I was lucky to find a program to clean the Yaha virus and its variants. The program that I found was developed by the Computer Emergency Response Team (CERT) and was called 'Stinger'. I reached home the same day and download the program from home as I did not want to use the Office computer. Now, I was even more curious. I desperately waited for the moment to use the program and see how it works, how it cleaned the virus. Finally I reached the office the next morning and got to use Stinger. It was pretty small, small enough to fit into a floppy and that's how I got it to the office. Khair ... I copied the program and it started cleaning the virus. I finally got rid of those culprits (I think) and the PC was abit faster now.
I also found another mysterious program 'MSREXE.exe' that was running in the background. I searched the HDD for the program and found it in the Windows directory. It was definitely one of those program under which yaha was running so I searched the new for this one as well. I found a site which stated the procedure to clean this program (a virus actually) It was a manual procedure which was as follows:
I had to locate the system.ini file and lok for the line which said "run shell = explorer.exe". This was the second line in the file.
I had to delete the line after 'explorer.exe' which was actually the name of the virus.
The line actually said - run shell=explorer.exe, MSREXE.exe
Now, when I previously tried to delete this program I got a message that said that this program is being used by windows and cannot be deleted. Now I knew why it said so because MSREXE was executed as soon as windows started. Therefore the program could not be deleted.
I had to follow the same procedure for the 'Win.ini' file and I deleted the line which executed this program.
This was one really exciting moment for me cause I had never know that viruses list themselves in such way ... in the system.ini and win.ini file. It was something new for me.\ and so was my encounter with W32.FunLove.4099 and Yaha. One amazing experience for me. I hope you've learned 'something' if not 'alot' from this post of mine.
Thank you for your patience ...
Allah-hafiz
P.S: The blame for frequent hang-ups could also be put on Win98 First Edition.