Full description

Virus:	DR/Sohanad.T.2
Date discovered:	06/05/2007
Type:	Worm
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	239.905 Bytes
MD5 checksum:	790Ddc293c8f45ec337292cb57a3ee41
VDF version:	6.38.01.94
IVDF version:	6.38.01.98 - Sunday, May 6, 2007

General Method of propagation:
   • No own spreading routine

Aliases:
   • Mcafee: W32/YahLover.worm
   • TrendMicro: WORM_SOHANAD.BO
   • Bitdefender: Worm.IM.Agent.G

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Drops a malicious file
   • Registry modification

Files It copies itself to the following locations:
   • %SYSDIR%\SSVICHOSST.exe
   • %WINDIR%\SSVICHOSST.exe
   • %network shares%\SSVICHOSST.exe
   • %network shares%\%all subdirectories%\%all subdirectories%.exe

The following file is created:

– %WINDIR%\Tasks\At1.job File is a scheduled task that runs the malware at predefined times.
– %SYSDIR%\autorun.ini

It tries to download a file:

– The locations are the following:
   • http://nhatquanglan3.t35.com/**********
   • http://nhatquanglan4.t35.com/**********
It is saved on the local hard drive under: %SYSDIR%\setting.ini This file may contain further download locations and might serve as source for new threats.

Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Yahoo Messengger="%SYSDIR%\SSVICHOSST.exe"

The following registry key is added:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   WorkgroupCrawler\Shares]
   • shared="\New Folder.exe"

The following registry keys are changed:

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • DisableTaskMgr=dword:00000001
   • DisableRegistryTools=dword:00000001

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • NofolderOptions=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • Shell="Explorer.exe SSVICHOSST.exe"

– [HKLM\SYSTEM\ControlSet001\Services\Schedule]
   New value:
   • AtTaskMaxHours=dword:00000000

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

It drops a copy of itself to the following network share:
• IPC$

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Alexandru Dinu on Wednesday, October 3, 2007
Description updated by Alexandru Dinu on Wednesday, October 17, 2007

Back . . . .