Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: "Yay" Malware
From: David Gillett <gillettdavid () FHDA EDU>
Date: Fri, 12 Jan 2007 09:16:29 -0800

  It would also be useful to have some characterization of the
"lot of outgoing traffic" associated with this, so that we know
what to look for.

David Gillett


-----Original Message-----
From: Scott Fendley [mailto:scottf () UARK EDU]
Sent: Thursday, January 11, 2007 8:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] "Yay" Malware

Heya Tim et al,

Thankfully we have not seen it on our campus as of yet.
However, I do know from communication with the Internet Storm
Center that a sample has been sent to all of the major
antivirus venders earlier in the day.  I would expect that
definitions will be out for the initial variation of this
malware soon.

After determining the attack vector/infection technique,  I
would typically reinstall or reimage the computer.  I may be
a little paranoid, but I really don't like not knowing
positively what the state of security really is after a
compromise of this nature.


It would be great if any determination could be made as to
what the infection vector might have been.  Email, IM, website
download?   From the reports I have seen it seems the file that
appears to be part of the 1st stage infection is
C:\WINDOWS\SYSTEM32\usb.exe.

Hopefully I will have more details in the morning that I can share.

Scott

At 07:25 PM 1/11/2007, Tim Lane wrote:
Hi All,

has anyone seen (for want of a better term) the Yay
Malware.  We are
seeing a small window with the word "yay" in it appear on
the desktop
with a lot of outgoing traffic.  A search on Google cites
quite a few
people seeing this in the last 24 hours but no resolution.

We have tried to remove it with:

Symantec AV
Adaware
Spybot S&D
Defender
XoftSpySE
MSRT

Seems like it may be very new and the AV vendors have not
caught on yet....

If anyone has seen it and mitigated it I would be
interested to hear.

Thanks,

Tim


Tim Lane
Information Security Program Manager

Information Technology and Telecommunication Services Southern Cross
University PO Box 157 Lismore NSW 2480

(02 6620 3290   7             02 6620 3033   - tlane () scu edu au
8 <http://www.scu.edu.au>http://www.scu.edu.au


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]