Full description

Virus:	Worm/Sohanat.AX
Date discovered:	14/02/2007
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	185.542 Bytes
MD5 checksum:	019491172aa082ca33a76793a651a09a
VDF version:	6.37.01.105
IVDF version:	6.37.01.106 - Friday, February 16, 2007

General Method of propagation:
   • Messenger

Aliases:
   • F-Secure: IM-Worm.Win32.Sohanad.u
   • Sophos: W32/Sohana-K
   • Grisoft: Autoit.Y
   • Eset: Win32/Sohanad.U

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Downloads a malicious file
   • Drops a malicious file
   • Registry modification

Files It tries to download a file:

– The location is the following:
• http://64.26.25.75/**********
It is saved on the local hard drive under: %WINDIR%\svchost.exe Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: Worm/VB.CK.9

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "SVCHOST"="%WINDIR%\svchost.exe"
   • "Task Manager"="%WINDIR%\svhost32.exe"

The following registry keys are added:

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • "DisableConfig"="1"

– [HKCU\Software\Google\GoogleToolbarNotifier]
   • "KeepDS"=dword:00000000
   • "ShowTrayIcon"=dword:00000000

– [HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast]
   • "content url"="http://zinblog.com"

– [HKCU\Software\Yahoo\pager\View\YMSGR_buzz]
   • "content url"="http://zinblog.com"

– [HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
   • "Homepage"=dword:00000001

The following registry keys are changed:

Internet Explorer's start page:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Start Page"="http://zinblog.com"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Search Bar"="http://zinblog.com"
   • "Use Search Asst"="no"
   • "Search Page"="http://zinblog.com"

– [HKCU\Software\Microsoft\Internet Explorer\SearchUrl]
   New value:
   • "(Default)"="http://zinblog.com"

– [HKCU\Software\Microsoft\Search Assistant]
   New value:
   • "DefaultSearchURL"="http://zinblog.com"

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NoRun"=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • "DisableRegistryTools"=dword:00000001
   • "DisableTaskMgr"=dword:00000001

Messenger – Yahoo Messenger
All entries in the contact list.

Message
The sent message looks like one of the following:

   • This is my one-off Xmas e-card for you ^_^ http://zinblog.com/?id=ecard =)) This message was certified by %yahoo user%

   • making money online never be easier : http://unitedreporters.org/?id=tips >:D< This message was certified by %yahoo user%, no worm

   • Vote for our Miss beauty today !!! http://unitedreporters.org/?id=miss_world :x:x:x:x:x This message was certified by %yahoo user%, no worm

   • DIY dynamite from Whisky, Coke and Mentos : http://zinblog.com/?id=dynamite << This message was certified by %yahoo user%, no worm

   • Fuck !!! X-( http://zinblog.com/?id=password << This message was certified by %yahoo user%, no worm

   • I made 10 gifts for the first 10 people post comments on my own page : http://lucyblog.com ^_^

   • Be careful. There’ll be earthquake tonight !!! http://unitedreporters.org/?id=warning << This message was certified by %yahoo user%, no worm

   • My new personal website : http://zinblog.com c0ol !!!

   • Microsoft to release 2007 free-of-charge packs of Winsdows Vista for its first 2007 online registered users: http://unitedreporters.org/?id=ms << This message was certified by %yahoo user%, no worm

   • wtf is this ? wanna give me a shit ? http://unitedreporters.org/?id=news X-(

   • Breaking news : Osama Bin Laden has been arrested !! http://unitedreporters.org/?news_id=18388 This message was certified by %yahoo user%, no worm

   • Yahoo to charge fee for its YM service http://zinblog.com/?id=ym This message was certified by %yahoo user%, no worm

   • OMG ! She is really beautiful :x http://zinblog.com/DSC00273.JPG This message was certified by %yahoo user%, no worm

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

The received messages may look like the following:

File details Programming language:
The malware program was written in MS Visual C++.
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Ernest Szocs on Thursday, February 15, 2007
Description updated by Ernest Szocs on Monday, February 19, 2007

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools