What is TrustedSource? | Create Account | Login 
Secure Computing Corporation
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 

Malware Information

Malware nameWorm.Sohanad.S
TypeWorm
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum7259B1B8205C635BF65049724E0595EF
Static fileyes
Filesize548,864 Bytes
Alias names
(also known as)
SophosW32/Sohana-Y
McAfeeW32/YahLover.worm.gen
CA ETrustWin32/Nuqel.J
Protection
Webwasher Anti Malware7000.6099.x
Side effects
  • Downloads files
  • Lowers security settings
  • Registry modification

Description:

Files

It copies itself to the following locations:
• %SYSDIR%\SSCVIIHOST.exe
• %WINDIR%\SSCVIIHOST.exe
• %SYSDIR%\blastclnnn.exe



The following files are created:

– Non malicious file:
• %SYSDIR%\setting.ini

– %WINDIR%\Tasks\At1.job File is a scheduled task that runs the malware at predefined times.
– %SYSDIR%\autorun.ini Further investigation pointed out that this file is malware, too. Detected as: Trojan.Autorun.A.2




It tries to download some files:

– The location is the following:
• setting3.**********
At the time of writing this file was not online for further investigation.

– The location is the following:
• http://www.freewebs.com/se**********
At the time of writing this file was not online for further investigation.
Registry

The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• Yahoo Messengger="%SYSDIR%\SSCVIIHOST.exe"



The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Services\Schedule]
• AtTaskMaxHours=dword:00000000



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
New value:
• NofolderOptions=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
New value:
• DisableTaskMgr=dword:00000001
• DisableRegistryTools=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Old value:
• "Shell"="Explorer.exe"
New value:
• Shell="Explorer.exe SSCVIIHOST.exe"

Messenger

It is spreading via Messenger. The characteristics are described below:

– Yahoo Messenger


To:
All entries in the contact list.


The received message may look like the following:


File details

Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
Secure Computing Corporate Homepage | Contact | Privacy Policy | Disclaimer

Copyright © 2007-2008 Secure Computing Corporation. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND SECURE COMPUTING® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL SECURE COMPUTING® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL SECURE COMPUTING® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT SECURE COMPUTING® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.