Valentine's Day Malware


During holidaysmalicious activity increases because the attackers are usually more successful in deceiving users and taking advantage. Valentine's Day is one of the best examples of this; which is why the malware analysis team of UNAM-CERT decided to publish a report about a sample that, although it’s not recent, illustrates very well the dangers of falling into the frauds of the creators of malicious code.


The Yaha worm, also known as Lentin, was particularly infectious for Windows users during the years 2002 and 2003. It propagated via email with the subject “Melt the Heart of your Valentine with this beautiful Screen saver” which contained the attachment “Valentin.scr”.



After downloading the alleged screensaver, the user could see a desktop shortcut similar to the one on the image below. The file referenced the website and, after displaying its properties, a version number, a description and a copyright could be seen.

The file was obtained with the “exe” extension, which was replaced by the “scr” extension to have a similar file to the one that was downloaded from the email. Once it was executed, several messages of different colors, with Valentine’s Day related phrases appeared throughout the screen: first one message, then the screen trembled and finally the phrase changed. This animation continued until the user pressed a key or moved the mouse. The messages that were displayed on the screen were these:

-          Ur so cute today #!#!

-          Ur My Best Friend#!#!

-          I like U very much‼!

-          True love never ends

Even though this effect may seem… cute, the malware carried out other actions that were certainly not nice while the user watched the animation. Following are the details obtained from one of the variants of the Yaha/Lentin family.

Before executing the sample again to analyze it dynamically, a static analysis was performed to obtain more information.



Static Analysis


First, we opened the file with a hexadecimal editor; as it was expected, at the beginning the file contained the magic number of the executables for MS-DOS environments, 4D 5A, which in ASCII is equivalent to “MZ”. Further down, the header of the Portable Executables “PE” could be seen.



After scrolling down a little there’s a curious detail: the malware writer managed to make a reversed heart appear in hex, as shown on the image below.


The following strings, which we had seen before on the file’s properties, were obtained after analyzing the file with BinText. As mentioned before, it is likely that the malware writer was trying to make the sample appeared as legitimate screensaver by adding information such as “LegalCopyright” and “LegalTrademarks”.


The next step was to discover whether the sample was packed or not. For this, we used a tool called RDG Packer Detector. It detected that the worm was compressed and protected with UPX.


However, when we tried to unpack it with the UPX executable, the following error appeared:


It was not possible to unpack the sample automatically, so we proceeded to do it manually. We opened the sample in OllyDbg and the first instruction found was PUSHAD (that sends the content of the general purpose registries to the stack in this order:EAX, ECX, EDX, EBX, EBP, ESP, ESI y EDI). It is common to find this instruction on the executables packed with UPX. We scrolled down until the POPAD instruction was found. The instructions between PUSHAD and POPAD contain the decompression routine of UPX and after that we get to the first instruction of the original sample, in other words, the program without packer.


We put a breakpoint and let the execution continue until it reached that point. After which we pressed F8 twice and, once the decompression routine was finished, we got to the Original Entry Point (OEP) of Yaha.


At this point we could do a memory dump to create an executable without packer; however, packers tend to destroy or modify the table that contains the addresses of the functions called from the system. For this reason, it was necessary to reconstruct this table, called Import Address Table (IAT). This can be done using the ImportREConstructor tool and assigning the OEP address, the reconstruction is usually done by the tool without asking additional information from the analyst.


We clicked on the “IAT Autosearch” botton and, after getting the message about an address that may be in the original IAT, we clicked on the “Get Imports” button. Lastly, we clicked on “Fix Dump”, selected the file that Olly created after dumping the memory and we clicked on “Open”.


ImpRec created a third file which already includes the repaired IAT.

We opened malwaredump_.exe with the free version of IDA Pro and started analyzing the graph, among the system calls we found some references to emails, such as: the subject of the email, the message that it contained, the send date and functions such as recv, send, getservbyname. According to Microsoft's documentation, recv y send are used to receive and send data through sockets. And the getservbyname recovers the information of the service that corresponds to the name value, which in this case was “mail”.


We also discovered what seems to be the real name of the file: “friendship.scr”.


And references to the Hotmail and Yahoo mail services.


Lastly, we wrote the URL of the sample on a browser to know whether the site was active or not and, contrary to what we expected given the fact that the sample is old, the website was active but didn’t seem to contain anything relevant.

The online service was used to know if the website was in a blacklist. According to the results obtained at the time of the analysis, the site was not malicious.



Dynamic Analysis

When executing the sample with the “exe” extension instead of “scr”, associated to screen savers, a message like the one shown on the image below was obtained.


Using Process Explorer we discovered that after executing the worm, a process called fwur.exe was also started and its description also mentioned it was a screen saver.


Furthermore, when we attempted to open another program, except taskmgr.exe, the error message displayed again, saying the screen saver had failed and thus had to close.



 The process drwtsn32.exe that started shortly after fwur.exe is an error debugger for Windows XP called Dr. Watson, as its description mentions. It collects information of the computer when the execution of a program produces an error, as it happened with the fake screen saver.


Thanks to the report generated by the RegShot tool, we found out that the sample created three files: an executable (.exe), a dynamic link library (.dll) and a text file (.txt).

Windows XP, through Dr. Watson, creates “.dmp” files after a program or the operating system has collapsed; these files are usually the dump of the RAM memory at the time the error occurred. Dr. Watson also created a log with system information about what causing the problems with the screen saver.

As it was mentioned, amongst the files created by the malware there’s a text file, its content is shown below:


The file  fwur.txt contains line indicating it was the D variant of the Yaha malware family, the author of the sample and what seems to be his country.

After rebooting the system we observe the error message of the fake screen saver.


Using the Autoruns tool we observed that the two registry keys created by the Yaha referenced the file fwur.exe started by the worm.


It was located on the path C:\RECYCLER as a hidden file.


The name of this file is generated randomly on every execution.


To know if it was a unique executable or a copy of the malware analyzed, we got the hashes of both the original sample and the created file. As shown on the image below, both files are identical.


To know if it was a unique executable or a copy of the malware analyzed, we got the hashes of both the original sample and the created file. As shown on the image below, both files are identical.


More information about the Yaha worm can be obtained from the following websites:

Are You Ready For a Summer Valentine?