WASHINGTON, Jan. 2 (UPI) — The India-Pakistan conflict has entered
the cyber realm as hackers across the subcontinent have infected
hundreds of thousands of computers in more than 100 countries on New
Year’s Day and the virus is spreading.
South Asia’s two nuclear rivals have been fighting each other since
their independence from Britain in 1947. They have fought wars in the
air, on the ground and in the sea. When the Internet arrived, it
quickly became yet another arena of conflict.
Last summer, when a terrorist attack on the Indian parliament brought
more than a million troops to the border, Pakistani hackers attacked
the official site of the Indian defense ministry. They inserted
messages proclaiming independence for the Kashmir region, a Himalayan
valley under dispute between India and Pakistan for 55 years.
This was not the first hacking bout between the two rivals, however.
Both sides had engaged in this behavior previously.
The latest virus attack has arrived with a warning for the Pakistani
hackers: “Your days are over, now it is our turn to show that ‘My
India is great’ (‘Bharat mahan hai,’ in Hindi).”
The message continues: “Want peace and prosperity in India? Then
(trash) corrupted politicians.” It also warns politicians: “Talent and
hard work should be respected. Self-styled (expletive) must be
eliminated. No more (expletive) monopoly.”
The message includes an e-mail address — qphhackmail.com — and a
mailing address in New Delhi.
Infected computers are automatically directed to an official Web site
of the Pakistan government. Its virulent spread has enabled thousands
of machines with the code to conduct a distributed denial-of-service
attack aimed at the homepage of the Islamic Republic of Pakistan at
On Tuesday, the virus forced one Pakistani official site,
infopak.gov.pk, to suspend service.
An earlier message also challenged G-Force, a group of Pakistani
hackers, to match the “intelligence and expertise” of the Indian
The G-Force hackers, who reportedly operate from Lahore, Pakistan, had
claimed responsibility for attacking the official site of the Indian
defense ministry in the summer.
“Come & work with us” against “the G-Force-Pak shiites,” the message
urged Indian hackers.
Also earlier this week, e-mail management firm MessageLabs gave the
new virus, dubbed W32/Yaha.M, the No. 2 spot on the list of the most
virulent computer viruses.
The first copy of the virus was detected June 15 in an e-mail from
Kuwait. Most copies now being stopped are coming from Egypt, Saudi
Arabia and the United Kingdom.
The e-mail messages, which are about 45-47 kilobytes in length, try to
lure the receiver to download “sexy screensavers.” Some messages offer
“love partners” and chatting “opportunities” with members of the
“Enjoy this friendship Screen Saver and Check your friends circle,”
the message says. “Send this screensaver to everyone you consider a
FRIEND, even if it means sending it back to the person who sent it to
you. If it comes back to you, then you’ll know you have a circle of
friends,” it advises.
Most of the senders have South Asian names. The early senders had
female names such as Savera, Madhuri and Rekha that seem to have been
borrowed from India’s Bollywood movies.
South Asian names still dominate but now the senders have both Muslim
and Hindu names and some IP addresses can be traced to both sides of
the India, Pakistan border.
When a receiver opens an infected file, the virus quickly spreads
through the system. A distributed denial-of-service attack floods a
Web site with user requests, overwhelming the server and locking out
It enters Internet explorer and installs itself as the default
homepage with addresses that lead to either hirosh.tk or hackers.com
but it does not seem affect Netscape.
Every time users click Internet Explorer, they are automatically led
to one of the two sites. The default action can be suspended
temporarily by going to the security setting and placing the two
addresses in the restricted sites.
Because a hacked system does not allow access to Internet options, a
user can go there through pop-up ads that still appear in the Internet
Although the two addresses reappear as the default home page every
time a computer restarts, this temporary relief allows a user to
download antivirus software.
Yaha virus, which is also spelled Yahaa, is a mass mailer that sends
itself to all e-mail addresses in the computer’s Microsoft Windows
Address Book, MSN Messenger List, Yahoo! Pager list, and ICQ list. It
disables some anti-virus and firewall programs. All anti-virus
programs currently have up-to-date definitions to protect against Yaha
Those who use Norton Anti-Virus tools can download removal
instructions from sarc.com.
If the worm has run already, the user first must reverse the change it
effected. If the worm has not run:
— Configure Windows to show all files.
— Copy Regedit.exe to Regedit.com (in most cases).
— Edit the registry and reverse the change that the worm made.
— Update the virus definitions, run a full system scan, and delete
all files that NAV detects as W32.Yahaa.E.
Computer users without antivirus protection can go to bitdefender.com
for a free removal tool.
“Communications without intelligence is noise; Intelligence
without communications is irrelevant.” Gen Alfred. M. Gray, USMC
C4I.org – Computer Security, & Intelligence – http://www.c4i.org
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.