Virus:Worm/Sohanad.AE
Date discovered:22/02/2007
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:185.400 Bytes
MD5 checksum:cd497af9276785a01a96daf515c4f0a1
VDF version:6.37.01.140 - Thursday, February 22, 2007
IVDF version:6.37.01.140 - Thursday, February 22, 2007

 General Method of propagation:
   • Messenger


Aliases:
   •  F-Secure: IM-Worm.Win32.Sohanad.ae
   •  Eset: Win32/Sohanad.AE


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads files
   • Lowers security settings
   • Registry modification

 Files It tries to download some files:

– The location is the following:
   • http://st83.startlogic.com/**********/Gallery/albums/data/YMworm.exe
It is saved on the local hard drive under: %SYSDIR%\svchost.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://st83.startlogic.com/**********/Gallery/albums/data/worm2007.exe
It is saved on the local hard drive under: %SYSDIR%\svchost32.exe Furthermore this file gets executed after it was fully downloaded. At the time of writing this file was not online for further investigation.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Yahoo Messenger = %SYSDIR%\svchost32.exe
   • Task Manager = %SYSDIR%\svchost.exe



The following registry keys are changed:

– [HKCU\Software\Yahoo\pager\View\YMSGR_Launchcast]
   Old value:
   • content url = %user defined settings%
   New value:
   • content url = http://quicknews.**********

– [HKCU\Software\Yahoo\pager\View\YMSGR_buzz]
   Old value:
   • content url = %user defined settings%
   New value:
   • content url = http://quicknews.**********

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • "DisableRegistryTools"=dword:00000001
   • "DisableTaskMgr"=dword:00000001

Internet Explorer's start page:
– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • Start Page = %user defined settings%
   New value:
   • Start Page = http://quicknews.**********

– [HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
   New value:
   • Homepage = dword:00000001

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • NoRun = dword:00000001

 Messenger It is spreading via Messenger. The characteristics are described below:

– Yahoo Messenger


To:
All entries in the contact list.


Message
The sent message looks like one of the following:

   • hot pics this week http://quicknews.**********/hot.jpg :x

   • never click into the links like something in this image http://quicknews.**********/dontclick.jpg
     :-S !!!

   • ;) 1 of my vacation pictures http://quicknews.**********/vacation2.jpg <:-P

   • Do you realize who is in this image: http://quicknews.**********/who.jpg . Just think for a moment and tell me soon ;))

   • My pics http://quicknews.**********/mypics.jpg b-( <<

   • :D who is beside you in this pic http://quicknews.**********/friendpic1.jpg so good-looking

   • Miss World 2006: http://quicknews.**********/MissWorld.jpg !!


The received messages may look like the following:



 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Gherman on Friday, March 30, 2007
Description updated by Andrei Gherman on Friday, March 30, 2007

Back . . . .