Home page logo

educause logo Educause Security Discussion mailing list archives

Re: "Yay" Malware
From: "Parker, Ron" <Ron.Parker () BRAZOSPORT EDU>
Date: Fri, 12 Jan 2007 08:16:04 -0600

In cases where we've tried to repair the damage, without having a
removal tool available, I've seen some of my staff spend multiple days
trying to clean things up. As you know, then you never know for sure
that you've gotten it. I would guestimate that it has cost us several
hundred dollars in staff time per computer to try to clean up something.
We would only do that in very rare cases any more. These days, we
re-image with gusto. 

Ron Parker, Director of Information Technology, Brazosport College


-----Original Message-----
From: RL Vaughn [mailto:Randy_Vaughn () BAYLOR EDU] 
Sent: Friday, January 12, 2007 7:49 AM
Subject: Re: [SECURITY] "Yay" Malware

Indeed the file, C:\WINDOWS\SYSTEM32\usb.exe, has been pinned 
as the culprit.
Reports are it overwrites binaries critical to IM, tray 
applications, and, apparently, the binaries of processes 
active at the time of infection including some AV.  The 
binary is UPX packed.  The infection vector has not yet been 
determined to my knowledge.

Scott's reinstall or reimage option suggestion seems 
realistic rather than paranoid.  On that point, and other 
previous postings, does anyone have a ballpark guesstimate of 
how much it costs to repair a single machine after such an infection?

Scott Fendley wrote:
Heya Tim et al,

Thankfully we have not seen it on our campus as of yet.  
However, I do 
know from communication with the Internet Storm Center that 
a sample 
has been sent to all of the major antivirus venders earlier in the 
day.  I would expect that definitions will be out for the initial 
variation of this malware soon.

After determining the attack vector/infection technique,  I would 
typically reinstall or reimage the computer.  I may be a little 
paranoid, but I really don't like not knowing positively what the 
state of security really is after a compromise of this nature.

It would be great if any determination could be made as to what the
infection vector might have been.  Email, IM, website 
download?   From
the reports I have seen it seems the file that appears to 
be part of 
the 1st stage infection is C:\WINDOWS\SYSTEM32\usb.exe.

Hopefully I will have more details in the morning that I can share.


At 07:25 PM 1/11/2007, Tim Lane wrote:
Hi All,

has anyone seen (for want of a better term) the Yay 
Malware.  We are 
seeing a small window with the word "yay" in it appear on the 
desktop with a lot of outgoing traffic.  A search on Google cites 
quite a few people seeing this in the last 24 hours but 
no resolution.

We have tried to remove it with:

Symantec AV
Spybot S&D

Seems like it may be very new and the AV vendors have not 
caught on 

If anyone has seen it and mitigated it I would be 
interested to hear.



Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services 
Southern Cross 
University PO Box 157 Lismore NSW 2480

(02 6620 3290   7             02 6620 3033   - tlane () scu edu au
8 <http://www.scu.edu.au>http://www.scu.edu.au

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]