Educause Security Discussion
mailing list archives
Re: "Yay" Malware
From: David Gillett <gillettdavid () FHDA EDU>
Date: Fri, 12 Jan 2007 09:16:29 -0800
It would also be useful to have some characterization of the
"lot of outgoing traffic" associated with this, so that we know
what to look for.
From: Scott Fendley [mailto:scottf () UARK EDU]
Sent: Thursday, January 11, 2007 8:58 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] "Yay" Malware
Heya Tim et al,
Thankfully we have not seen it on our campus as of yet.
However, I do know from communication with the Internet Storm
Center that a sample has been sent to all of the major
antivirus venders earlier in the day. I would expect that
definitions will be out for the initial variation of this
After determining the attack vector/infection technique, I
would typically reinstall or reimage the computer. I may be
a little paranoid, but I really don't like not knowing
positively what the state of security really is after a
compromise of this nature.
It would be great if any determination could be made as to
what the infection vector might have been. Email, IM, website
download? From the reports I have seen it seems the file that
appears to be part of the 1st stage infection is
Hopefully I will have more details in the morning that I can share.
At 07:25 PM 1/11/2007, Tim Lane wrote:
has anyone seen (for want of a better term) the Yay
Malware. We are
seeing a small window with the word "yay" in it appear on
with a lot of outgoing traffic. A search on Google cites
quite a few
people seeing this in the last 24 hours but no resolution.
We have tried to remove it with:
Seems like it may be very new and the AV vendors have not
caught on yet....
If anyone has seen it and mitigated it I would be
interested to hear.
Information Security Program Manager
Information Technology and Telecommunication Services Southern Cross
University PO Box 157 Lismore NSW 2480
(02 6620 3290 7 02 6620 3033 - tlane () scu edu au