Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:20/02/2008
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:No
File size:~320.000 Bytes
IVDF version:

 General Method of propagation:
   • Messenger

   •  Kaspersky:
   •  F-Secure:
   •  Sophos: W32/SillyFDC-AE
   •  Eset: Win32/Hakaglan.G worm
   •  Bitdefender: Win32.Worm.Sohanad.NBL

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a file
   • Downloads files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\blastclnnn.exe

The following files are created:

– Non malicious file:
   • %SYSDIR%\setting.ini

%SYSDIR%\autrun.ini This is a non malicious text file with the following content:
   • [Autorun]
     Shellexe cute=SCVVHSOT.exe

It tries to download a file:

– The locations are the following:
At the time of writing this file was not online for further investigation.

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Yahoo Messengger="%SYSDIR%\SCVVHSOT.exe"

The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   • AtTaskMaxHours=dword:00000000

The following registry keys are changed:

Disable Regedit and Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Old value:
   • DisableTaskMgr=%user defined settings%
   • DisableRegistryTools=%user defined settings%
   New value:
   • DisableTaskMgr=dword:00000001
   • DisableRegistryTools=dword:00000001

Various Explorer settings:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   Old value:
   • NofolderOptions=%user defined settings%
   New value:
   • NofolderOptions=dword:00000001

 Messenger It is spreading via Messenger. The characteristics are described below:

– Yahoo Messenger

All entries in the contact list.

 File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Alexander Neth on Friday, June 20, 2008
Description updated by Andrei Gherman on Monday, June 23, 2008

Back . . . .