Win32:Yaha-E

is an Internet worm which spreads via email. When the worm is first run it will imitate a screen saver by repeatedly displaying the following messages on the screen in various colours:
U r so cute today "!"!
True Love never ends
I like U very much!!!
U r My Best Friend
The worm creates a copy of itself in the Recycle folder. It also adds the following registry key into the Registry in order to execute itself each time a program with an EXE extension is run:
HKLM\Software\CLASSES\exefile\shell\open\command: default

Two additional files with random name are created in the Windows folder. One has a DLL extension and contains a list of email addresses found on the infected computer. The second file has a TXT extension and contains the text "iNDian sNakes pResents yAha.E".

The worm tries to disable security and antivirus software by terminating many processes - it disables for example Zonealarm, AVP, Mcafee, Norton, Fprot, PCcillin and several others.

The email sent by the worm is highly variable. The subject line of the email is created using a combination of words and phrases from the following list:

"searching for true Love" " you care ur friend" "Who is ur Best Friend" "make ur friend happy" "True Love" "Dont wait for long time" "Free Screen saver" "Friendship Screen saver" "Looking for Friendship" "Need a friend?" "Find a good friend" "Best Friends" "I am For u" "Life for enjoyment" "Nothink to worryy" "Ur My Best Friend" "Say 'I Like You' To ur friend" "Easy Way to revel ur love" "Wowwwwwwwwwww check it" "Send This to everybody u like" "Enjoy Romantic life" "Let's Dance and forget pains" "war Againest Loneliness" "How sweet this Screen saver" "Let's Laugh" "One Way to Love" "Learn How To Love" "Are you looking for Love" "love speaks from the heart" "Enjoy friendship" "Shake it baby" "Shake ur friends" "One Hackers Love" "Origin of Friendship" "The world of lovers" "The world of Friendship" "Check ur friends Circle" "Friendship" "how are you" "U r the person?" "Hi" "U realy Want this" "Romantic" "humour" "New" "Wonderfool" "excite" "Cool" "charming" "Idiot" "Nice" "Bullshit" "One" "Funny" "Great" "LoveGangs" "Shaking" "powful" "Joke" "Interesting" "Interesting" "Screensaver" "Friendship" "Love" "relations" "stuff" "to ur friends" "to ur lovers" "for you" "to see" "to check" "to watch" "to enjoy" "to share"

The message text contains:
"Hi Check the Attachment .. See u"
or
"Attached one Gift for u.."
or
"wOW CHECK THIS"
and some additional text which looks like a forwarded email. The message will always contain the text:

This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

The attached file has two extensions - the last and important one is pif, bat or scr. The filename is could be one of:
screensaver screensaver4u screensaver4u screensaverforu freescreensaver love lovers lovescr loverscreensaver loversgang loveshore love4u lovers enjoylove sharelove shareit checkfriends urfriend friendscircle friendship friends friendscr friends friends4u friendship4u friendshipbird friendshipforu friendsworld werfriends passion bullshitscr shakeit shakescr shakinglove shakingfriendship passionup rishtha
greetings lovegreetings friendsgreetings friendsearch lovefinder truefriends truelovers fucker loveletter resume biodata dailyreport mountan goldfish weeklyreport report love

The worm uses its own SMTP routine and uses the users SMTP server or one from a list contained within the worm itself.

Any avast! with VPS file dated on or after 20th June 2002 is able to detect this worm.