Home page logo

educause logo Educause Security Discussion mailing list archives

Re: "Yay" Malware
From: Scott Fendley <scottf () UARK EDU>
Date: Thu, 11 Jan 2007 22:58:27 -0600

Heya Tim et al,

Thankfully we have not seen it on our campus as of yet.  However, I
do know from communication with the Internet Storm Center that a
sample has been sent to all of the major antivirus venders earlier in
the day.  I would expect that definitions will be out for the initial
variation of this malware soon.

After determining the attack vector/infection technique,  I would
typically reinstall or reimage the computer.  I may be a little
paranoid, but I really don't like not knowing positively what the
state of security really is after a compromise of this nature.

It would be great if any determination could be made as to what the
infection vector might have been.  Email, IM, website
download?   From the reports I have seen it seems the file that
appears to be part of the 1st stage infection is C:\WINDOWS\SYSTEM32\usb.exe.

Hopefully I will have more details in the morning that I can share.


At 07:25 PM 1/11/2007, Tim Lane wrote:
Hi All,

has anyone seen (for want of a better term) the Yay Malware.  We
are seeing a small window with the word "yay" in it appear on the
desktop with a lot of outgoing traffic.  A search on Google cites
quite a few people seeing this in the last 24 hours but no resolution.

We have tried to remove it with:

Symantec AV
Spybot S&D

Seems like it may be very new and the AV vendors have not caught on yet....

If anyone has seen it and mitigated it I would be interested to hear.



Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services
Southern Cross University
PO Box 157 Lismore NSW 2480

(02 6620 3290   7             02 6620 3033   - tlane () scu edu au
8 <http://www.scu.edu.au>http://www.scu.edu.au

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]