
Y A H A T O O L
---------------

The YahaTool is the utility created by Kaspersky Labs to 
eliminate several variants of Yaha (or also known as Lentin) worm 
infection and to restore files and System Registry entries 
modified by the worm.

Disinfection procedure should be as follows:

1. If you have F-Secure Anti-Virus installed, please disable its 
on-access scanner to prevent it from blocking YahaTool's access 
to infected files.

2. Unpack the YahaTool utility from the provided ZIP archive. A 
trial version of WinZip archiver can be downloaded from here:

http://www.winzip.com/ddchomea.htm
                                   
3. Run YAHATOOL.COM file from a hard disk to eliminate Yaha 
worm infection and to restore files and System Registry entries 
modified by the worm. You can run the utility by either 
doubleclicking on it from Windows Explorer or you can start it 
from a command interpreter (COMMAND.COM or CMD.EXE) by typing its 
name at command prompt and pressing 'Enter'.

4. Reboot a system. After restart your system should be clean.

5. If you have F-Secure Anti-Virus installed, re-enable it's 
on-access scanner and scan all hard drives to make sure that no 
infected files are left.

You can get a trial version of F-Secure Anti-Virus and the latest 
updates for it from our website:

http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

If a computer with Windows NT, 2000 or XP system is being 
disinfected, please log in as Administrator or as a user with 
local admin rights, otherwise the YahaTool might not disinfect 
the system correctly.

If Yaha infection is in a network environment, then the network 
should be temporarily taken down before all workstations and 
servers are disinfected. A single infected workstation can 
re-infect already cleaned computers.

If a computer is infected over a network, it might not yet have 
active Yaha worm infection in memory. In this case the YahaTool 
will not start to scan all your hard disks when you run it - it 
will show 'Nothing to clean' message. To make the tool scan all 
available hard disks you have to run it with '/scanfiles' (no 
quotes) command line option. To to this, start command 
interpreter (COMMAND.COM or CMD.EXE depending on your operating 
system) go to the directory where the YahaTool is and type at 
command prompt:

yahatool  /scanfiles

Then press 'Enter' to run the tool. Please note that if you have 
F-Secure Anti-Virus installed on an infected system, you have to 
disable its on-access scanner in order to allow the tool to 
remove Yaha infections. After the tool completes scanning, turn 
on-access scanner back on.

If you have Windows ME or XP, we recommend to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Yaha worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and to restore it every 
time it's been deleted by YahaTool. The instructions on how to 
disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'samples@f-secure.com' address.