| Malware name | Worm.Sohanad.BM | | Type | Worm | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | CDA8CA0C3811CDB6F59924C2F2CD738C | | Static file | yes | | Filesize | 268,800 Bytes | Alias names
(also known as) | | Sophos | Mal/Generic-A | | McAfee | W32/Yahlover.worm.gen.c |
| | Side effects | - Downloads files
- Drops a file
- Lowers security settings
- Registry modification
| | Propagation | Local network |
|
Description:
Files
It copies itself to the following locations:
• %SYSDIR%\RVHOST.exe
• %WINDIR%\RVHOST.exe
The following file is created:
– %WINDIR%\Tasks\At1.job File is a scheduled task that runs the malware at predefined times.
It tries to download a file:
– The location is the following:
• http://nhatquanglan2.0catch.com/**********
It is saved on the local hard drive under: %SYSDIR%\setting.ini
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
• Yahoo Messengger="%SYSDIR%\RVHOST.exe"
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• Shell="Explorer.exe RVHOST.exe"
The following registry keys are added:
– [HKLM\SYSTEM\ControlSet001\Services\Schedule]
• AtTaskMaxHours=dword:00000000
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
WorkgroupCrawler\Shares]
• shared="
%all shared folders%\New Folder.exe"
The following registry keys are changed:
Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Old value:
• NofolderOptions=
%user defined settings% New value:
• NofolderOptions=dword:00000001
Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Old value:
• DisableTaskMgr=
%user defined settings% • DisableRegistryTools=
%user defined settings% New value:
• DisableTaskMgr=dword:00000001
• DisableRegistryTools=dword:00000001
Messenger
It is spreading via Messenger. The characteristics are described below:
– Yahoo Messenger
To: All entries in the contact list.
Message The sent message looks like one of the following:
• E may, vao day coi co con nho nay ngon lam http://nhattruongquang.**********.com
• Vao day nghe bai nay di ban http://nhattruongquang.**********.com
• Biet tin gi chua, vao day coi di http://nhattruongquang.**********.com
• Trang Web nay coi cung hay, vao coi thu di http://nhattruongquang.**********.com
• Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? http://nhattruongquang.**********.com
• Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... http://nhattruongquang.**********.com
• Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... http://nhattruongquang.**********.com
• Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... http://nhattruongquang.**********.com
• Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon...http://nhattruongquang.**********.com
The received message may look like the following:
Network Infection
In order to ensure its propagation the malware attemps to connect to other machines as described below.
It drops a copy of itself to the following network share:
•
%all shared folders%\New Folder.exe
