WORM_SOHANAD.ACD

This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It disables Task Manager, Registry Editor, and Folder Options.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It modifies the user's Internet Explorer home page into a certain website. This action allows the malware to point to a website which may contain malware, putting the affected computer at greater risk of malware infection.

Arrival Details

This worm arrives via removable drives.

It may arrive via network shares.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

• Google Talk (Spam Message)
• Yahoo Messenger (Spam Message)

Installation

This worm drops the following copies of itself into the affected system:

• %System%\system3_.exe
• %Windows%\system3_.exe
• %Desktop%\system3_.exe
• %User Temp%\system3_.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\Desktop on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

It drops the following non-malicious files:

• C:\install.txt - marker for dropping copies
• C:\disks.txt - marker for removable/network propagation
• %User Temp%\log_{timestamp}.txt - Malware Logs

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Yahoo Messengger = "%System%\system3_.exe"

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe system3_.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\Schedule
AtTaskMaxHours = "0"

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NofolderOptions = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
BkavFw =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
IEProtection =

Propagation

This worm drops the following copy(ies) of itself in all removable drives:

• New Folder.exe

It uses the following file names for the copies it drops into shared networks:

• New Folder.exe

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[Autorun]
Shellexecute = New Folder.exe
Shell\Open\command = New Folder.exe
Shell = Open

It sends copies of itself to target recipients using the following instant-messaging (IM) applications:

• Yahoo Messenger
• Google Talk

It sends the following messages using the aforementioned Instant Messaging applications:

I LOVE YOUUUUUUUUUUUUU from screensaver http://{BLOCKED}gle.0catch.com/love.scr see more in URL
golden lovers rose screen saver from http://{BLOCKED}gle.0catch.com/love.scr and see more from URL
happy valentine day screen saver and beautiful screen saver from lovers http://{BLOCKED}gle.0catch.com/love.scr and URL
happy valentine day screen saver from http://{BLOCKED}gle.0catch.com/love.scr and get new tips and tricks for lovers URL
happy valentine day screen saver from http://{BLOCKED}gle.0catch.com/love.scr and get new tips and tricks from URL
happy valentine day screen saver from http://{BLOCKED}gle.0catch.com/love.scr and view secrets from private cam BIN
happy valentine day screen saver from http://{BLOCKED}gle.0catch.com/love.scr and view secrets from private cam BIN
rose is always red ,see in http://{BLOCKED}gle.0catch.com/love.scr screen saver from URL

Web Browser Home Page and Search Page Modification

This worm modifies the user's Internet Explorer home page to the following websites:

• http://www.{BLOCKED}gle.blogspot.com
• http://www.{BLOCKED}orld.50webs.com

Download Routine

This worm connects to the following website(s) to download and execute a malicious file:

• http://h1.{BLOCKED}y.com/{db00000 - db00050}

It connects to the following URL(s) to download its configuration file:

• http://h1.{BLOCKED}y.com/{sdb0000 - sdb00050}/setting.ini

Other Details

This worm terminates itself if windows or classes contain any of the following string(s):

• game_y.exe
• cmd.exe
• Registry
• Windows Task
• System Configuration

NOTES:

It modifies Firefox's homepage to the following website:

• http://www.{BLOCKED}gle.blogspot.com
• http://www.{BLOCKED}mworld.50webs.com

It downloads and installs a Yahoo Messenger from the following link when not installed on affected system:

• http://rd.software.yahoo.com/msgr/8/msgr8us.exe

It removes system restore points to prevent users from reverting back to clean restore point.