Yaha virus lingers into the New Year

A new variant of the Yaha computer virus which emerged Dec. 21 and was detected on thousands of PCs over the holiday season appears to be making a gradual retreat but is still ranked as a “medium risk” by security software vendors.

Security vendor MessageLabs Ltd., which calls the new variant W32/Yaha.K, said the rate of spread has been declining steadily since Monday when the company intercepted more than 8,000 copies of the virus. By Wednesday that figure had declined to 6,500 and it stood at just over 2,000 on Thursday afternoon in Europe.

Altogether more than 34,000 copies of the virus had been detected by the Gloucester, U.K.-based company. MessageLabs originally identified the virus as an existing variant, called Yaha.M, but has since determined that a new variant is making the rounds.

According to MessageLabs, the origin of the virus was Kuwait and computers in 100 countries have been affected by it, especially in the Netherlands, the U.K., Canada, Egypt, United Arab Emirates, Saudi Arabia and Australia.

Symantec Corp., which is calling the worm W32.Yaha.L@mm, rates the virus’ threat assessment as low, the damage assessment as medium and the distribution of Yaha as high, according to information on its Web site.

McAfee.com Corp. and parent company Network Associates Inc. rated W32/Yaha.k as “medium risk” to both home and corporate users.

Helsinki’s F-Secure Corp. gave the Yaha.K virus a level 2 alert on its scale of three levels, meaning the virus was causing widespread infection. It said the virus carries aliases including Yaha.M, W32/Lentin.H@mm, I-Worm.Lentin.h and Yaha.K!e2a2.

The worm affects mainly systems running Microsoft Corp.’s Windows operating system and appears as an e-mail attachment in the form of a .exe or .scr file. Infected emails carry a wide variety of subject headings and messages. The virus contains its own e-mail client to mail itself out, forging the “from” address. It attempts to close down a number of firewalls and antivirus programs, according to MessageLabs.