Email virus poised to strike

New variants of the Yaha worm are making it an unpleasant new year for some IT managers, but only a few antivirus software vendors are worried.

First identified on 21 December, the worm has spread slowly due to the lack of business computer use. But it could start to proliferate on Monday.

Yaha arrives as a double attachment with a .exe or .scr suffix. The worm has its own SMTP engine and distributes itself to all addresses in Windows Address Book, MSN Messenger and .Net and Yahoo Messenger software.

The virus sends emails with fake headers and has a large variety of subject headings. Only Windows machines are affected.

A secondary payload attempts to use the infected computer to launch a denial of service attack against a Pakistani government domain, infopak.gov.pk.

The fast initial infection rate sent the worm straight to number four in MessageLabs' December infection survey, and Symantec upgraded the worm's alert status on 30 December.

However, other companies are less worried.

Graham Cluley, antivirus specialist at Sophos, said: "We've only had a few dozen calls about it.

"We've had a cure since before Christmas, which has certainly helped, and there's a removal utility for anyone on our website.

"It's not going to be on the same scale as Bugbear. One of the main reasons for the slow spread could also be the increasing number of businesses which are blocking these kind of emails en masse. But some may slip through."

The Yaha types causing the most trouble are the 'K' and 'E' variants. The original virus was first detected in March.