Full description

Virus:	Worm/Sohanad.S
Date discovered:	01/09/2008
Type:	Worm
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low to medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	315.905 Bytes
MD5 checksum:	37091432f5e73c8f0E407c10a0b0b84f
VDF version:	7.00.06.99
IVDF version:	7.00.06.100 - Monday, September 1, 2008

General Method of propagation:
   • Messenger

Aliases:
   • Symantec: W32.Svich
   • Kaspersky: Trojan-Downloader.Win32.AutoIt.aa
   • TrendMicro: WORM_SOHANAD.EI
   • F-Secure: Trojan-Downloader.Win32.AutoIt.aa
   • Sophos: W32/Sohana-Y
   • Panda: W32/Sohanat.BY.worm
   • Eset: Win32/Hakaglan.C
   • Bitdefender: Trojan.Downloader.Autoit.V

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads files
   • Lowers security settings
   • Registry modification

Files It copies itself to the following locations:
   • %SYSDIR%\SSCVIIHOST.exe
   • %WINDIR%\SSCVIIHOST.exe
   • %SYSDIR%\blastclnnn.exe

The following files are created:

– Non malicious file:
   • %SYSDIR%\setting.ini

– %WINDIR%\Tasks\At1.job File is a scheduled task that runs the malware at predefined times.
– %SYSDIR%\autorun.ini Further investigation pointed out that this file is malware, too. Detected as: TR/Autorun.A.2

It tries to download some files:

– The location is the following:
   • setting3.**********
At the time of writing this file was not online for further investigation.

– The location is the following:
   • http://www.freewebs.com/se**********
At the time of writing this file was not online for further investigation.

Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Yahoo Messengger="%SYSDIR%\SSCVIIHOST.exe"

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\Schedule]
   • AtTaskMaxHours=dword:00000000

The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • NofolderOptions=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • DisableTaskMgr=dword:00000001
   • DisableRegistryTools=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • Shell="Explorer.exe SSCVIIHOST.exe"

Messenger It is spreading via Messenger. The characteristics are described below:

– Yahoo Messenger

To:
All entries in the contact list.

The received message may look like the following:

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Alexandru Dinu on Tuesday, September 9, 2008
Description updated by Alexandru Dinu on Tuesday, September 9, 2008

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools