Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Sohanad.T.6
Date discovered:18/06/2010
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:376.832 Bytes
MD5 checksum:f3a2e84cd82d61b6c06d8c89c230c246
IVDF version:6.39.00.29 - Monday, June 18, 2007

 General Methods of propagation:
   • Autorun feature
   • Local network
   • Messenger


Aliases:
   •  Kaspersky: Trojan-Downloader.Win32.AutoIt.aa
   •  TrendMicro: Mal_SHND-4
   •  Microsoft: Worm:Win32/Nuqel.I
   •  VirusBuster: Trojan.DL.AutoIt.DO
   •  Fortinet: W32/Sohanad.T!worm.im


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\SSVICHOSST.exe
   • %WINDIR%\SSVICHOSST.exe
   • %drive%\SSVICHOSST.exe
   • %drive%\New Folder.exe



The following files are created:

%SYSDIR%\autorun.ini This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%WINDIR%\Tasks\At1.job File is a scheduled task that runs the malware at predefined times.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Yahoo Messengger"="%SYSDIR%\SSVICHOSST.exe"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe SSVICHOSST.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   • "NofolderOptions"=dword:00000001



The following registry key is changed:

Disable Regedit and Task Manager:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Old value:
   • "DisableTaskMgr"=dword:00000000
   • "DisableRegistryTools"=dword:00000000
   New value:
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

 Messenger – Yahoo Messenger
All online contacts in the contact list.


Message
The sent message looks like one of the following:

   • E may, vao day coi co con nho nay ngon lam http://nhatquanglan1.****.com

   • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? http://nhatquanglan1.****.com


The received message may look like the following:


 Network Infection  It drops a copy of itself to the following network share:
   • %all shared folders%\New Folder.exe

 Backdoor Contact server:
The following:
   • nhatquanglan3.****.com


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Irina Diaconescu on Thursday, November 4, 2010
Description updated by Irina Diaconescu on Tuesday, November 9, 2010

Back . . . .