ALIASES:

Nuqel, AutoIt, Imaut, YahLover, Autorun

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via network shares, Propagates via removable drives, Propagates via instant messaging applications

SOHANAD malware has been around since 2006. Its first variant used instant messaging applications to spread to other computers. Later versions incorporated network share propagation and spreading via removable drives.

This family of worms is created using an AutoIt script, a freeware scripting language for Windows. The said script is converted or compiled into a Win32 executable using the UT2EXE tool in order to become the malware's final build.

SOHANAD malware disables the Registry Editor and the Windows Task Manager upon execution. It also modifies the affected user's homepage and terminates certain processes. It can also frequently update itself by downloading a component that contains a list of URLs where SOHANAD may download an updated copy of itself.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Downloads files, Connects to URLs/IPs, Terminates processes

Installation

This worm drops the following files:

  • %System%\28463\svchost.001
  • %System%\28463\svchost.002
  • %System%\28463\svchost.exe
  • %System%\autorun.ini
  • %System%\dotnetfx.dll
  • %System%\setting.ini
  • %System%\setup.ini
  • %User Temp%\aut1.tmp
  • %User Temp%\aut2.tmp
  • %User Temp%\log_{Time stamp}.tx
  • %Windows%\Tasks\At1.job
  • {drive letter}\autorun.inf

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It drops the following copies of itself into the affected system:

  • %System%\gphone.exe
  • %System%\regsvr.exe
  • %System%\svchost .exe
  • %Windows%\gphone.exe
  • %Windows%\regsvr.exe
  • {drive letter}\gphone.exe
  • {drive letter}\New Folder .exe
  • {drive letter}\New Folder.exe
  • {drive letter}\regsvr.exe
  • {drive letter}\{foldername}.exe
  • {shared folder}\New Folder .exe
  • {shared folder}\regsvr.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It creates the following folders:

  • %System%\28463

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Yahoo Messengger = "%System%\gphone.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Msn Messsenger = "%System%\regsvr.exe"

It modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = "Explorer.exe gphone.exe"

(Note: The default value data of the said registry entry is Explorer.exe.)

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares
shared = "\{host name}\{shared folder}\New Folder .exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares
shared = "\New Folder.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings
GlobalUserOffline = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Schedule
AtTaskMaxHours = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
DotNetRecovery
@ = "A"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NofolderOptions = "0"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NofolderOptions = "1"

It deletes the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
IEProtection = {blank}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
BkavFw = {blank}

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}yoga.googlepages.com/setting.ini
  • http://{BLOCKED}lgo.googlepages.com/setting.ini
  • http://h1.{BLOCKED}y.com/poojasharma1/setting.ini
  • http://h1.{BLOCKED}y.com/poojasharma2/setting.ini
  • http://{BLOCKED}o.com/setting.doc
  • http://{BLOCKED}o.com/setting.xls
  • http://{BLOCKED}9.googlepages.com/google.html
  • http://{BLOCKED}emotion.googlepages.com/setting.ini
  • http://{BLOCKED}atecam.googlepages.com/setting.ini
  • http://www.{BLOCKED}o.com/setting.doc
  • http://www.{BLOCKED}o.com/setting.xls
  • http://{BLOCKED}o.com/setting.doc
  • http://{BLOCKED}o.com/setting.xls