WORM_SOHANAD.AF

Posted on 25 November 2006 by sm

It creates the following registry entries to enable its automatic execution at every system startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Task Manager = “%Windows%\system\svchost32.exe”
Svchost = “%Windows%\system\svhost.exe”



This worm creates the following keys and entries to modify the settings of Yahoo! Messenger

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
content url = “http://{BLOCKED}coolpics.net”

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast
content url = “http://{BLOCKED}coolpics.net”

It also creates the following entries to disable Registry Editor and Task Manager:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableRegistryTools = “dword:00000001″
DisableTaskMgr = “dword:00000001″

It also hides the Run option in the Start Menu by adding the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoRun = “1″

Moreover, it prevents users from manually modifying the home page back to the preferred setting by creating the following registry entry:

HKEY_CURRENT_USER\Software\Policies\Microsoft\
Internet Explorer\Control Panel
Homepage = “1″

It also changes the Internet Explorer home page by modifying the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = “http://{BLOCKED}coolpics.net”

59770e
(Note: The default value for the said registry entry is user-defined.)

Propagation via Instant Messaging Applications
This worm propagates via Yahoo! Messenger, and Windows Live Messenger or Windows Messenger. It does the said routine by sending an instant message to all the contacts of an active user. The said message contains a link to a remote copy of itself. When the recipient clicks the link, the copy is executed on the recipient’s system.
The message it sends out has the following details:

• :( the page cannot be displayed http://{BLOCKED}coolpics.net/error.jpg Something was wrong !!! Check it again and tell me later. THanks
• :D who is beside you in this pic http://{BLOCKED}coolpics.net/friendpic1.jpg so good-looking
• ;) 1 of my vacation pictures http://{BLOCKED}coolpics.net/vacation1.jpg < :-P
• ;) 1 of my vacation pictures http://{BLOCKED}coolpics.net/vacation2.jpg <:-P
• Do you realize who is in this image: http://{BLOCKED}coolpics.net/who.jpg . Just think for a moment and tell me soon ;))
• hot pics this week http://{BLOCKED}coolpics.net/hot.jpg :x
• Images shot in Iraq _ The war will never end http://{BLOCKED}coolpics.net/Iraqwar.jpg << :(
• Miss World 2006: http://{BLOCKED}coolpics.net/MissWorld.jpg !!
• never click into the links like something in this image http://{BLOCKED}coolpics.net/dontclick.jpg #:-S !!!
• oh my god , i've won a 20000 usd lottery :O http://{BLOCKED}coolpics.net/mylottery.jpg <<
• Screenshot of new windows version _ Windows Vista http://{BLOCKED}coolpics.net/vista.jpg so cool :D

This worm also replaces the status of the affected user with any of the abovementioned messages.

Download Routine

This worm is also capable of downloading and executing files from the following URLs:

* http://{BLOCKED}sourceinteractive.com/portal/media/en.exe
* http://{BLOCKED}sourceinteractive.com/portal/media/link-en.exe
* http://{BLOCKED}coolpics.net/dontclick.jpg
* http://{BLOCKED}coolpics.net/error.jpg
* http://{BLOCKED}coolpics.net/friendpic1.jpg
* http://{BLOCKED}coolpics.net/hot.jpg
* http://{BLOCKED}coolpics.net/Iraqwar.jpg
* http://{BLOCKED}coolpics.net/MissWorld.jpg
* http://{BLOCKED}coolpics.net/mylottery.jpg
* http://{BLOCKED}coolpics.net/vacation1.jpg
* http://{BLOCKED}coolpics.net/vacation2.jpg
* http://{BLOCKED}coolpics.net/vista.jpg
* http://{BLOCKED}coolpics.net/who.jpg

The downloaded files are saved as follows:

* en.exe – component also detected by Trend Micro as WORM_SOHANAD.AF
* link-en.exe – copy of this worm

Process Termination

This worm terminates the following processes, most of which are components of other malware, while some are related to security programs:

* Anti-Trojan.exe
* ANTS.exe
* apvxdwin.exe
* ATCON.exe
* ATUPDATER.exe
* ATWATCH.exe
* AUPDATE.exe
* AUTODOWN.exe
* AUTOTRACE.exe
* AUTOUPDATE.exe
* Avconsol.exe
* AVP.exe
* AVP32.exe
* avpcc.exe
* avpm.exe
* AVPUPD.exe
* Avsynmgr.exe
* AVWUPD32.exe
* AVXQUAR.exe
* bdmcon.exe
* bdnews.exe
* bdoesrv.exe
* bdss.exe
* bkav2006.exe
* CMGrdian.exe
* drwebupw.exe
* GUARD.exe
* iamapp.exe
* iamserv.exe
* ICLOAD95.exe
* ICLOADNT.exe
* ICMON.exe
* ICSSUPPNT.exe
* ICSUPP95.exe
* ICSUPPNT.exe
* LUCOMSERVER.exe
* MCAGENT.exe
* mcupdate.exe
* MINILOG.exe
* MOOLIVE.exe
* NAVAPW32.exe
* NMAIN.exe
* NPROTECT.exe
* NSCHED32.exe
* NUPGRADE.exe
* regedit.exe
* regedt32.exe
* rtvscan.exe
* RuLaunch.exe
* svhost32.exe
* Vshwin32.exe
* vsserv.exe
* VsStat.exe
* zatutor.exe
* zonealarm.exe

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003 with Yahoo! Messenger and Windows Live Messenger/Windows Messenger installed.

Technorati Tags: , , ,


source:

Comments are closed.

Advertise Here
2daydeals Apple Apple Mac OS X BBC Books Breaking News britney_spears bush Business Daw Aung San Suu Kyi Entertainment Google Health Internet iPhone iPod Junta kevin_federline Leopard MAC MacBook+Air Mac OS X Leopard Microsoft MSN Music Myanmar News OS X P2P Politics pop_star pro-democracy san Suu Kyi Science Small+News Small News Taliban Technology UK US Verizon Video World News Yahoo YouTube
Advertise Here

Meta

Recent Posts

Categories

Amazon Yahoo Widget

RSS BBC NEWS

RSS Amazon UK

RSS Nowzon

RSS Nowpublic

RSS Tech’s News



isforsale.net


General Privacy Policy ]  Goal.mu,Soccer Guide ]  Enterar.es ]  Get Loans in Dollars ]  Get Loans in Dollars Now ]  Dollars Tel ]  API Creator ]  API Creator.com ]  Monk.bz ]  Enough.at ]  Free BMR Calculator ]  2daydeals.co.uk ]  Free Acne Treatment ]  3acne.net ]  9hts.com ]  9hts.net ]  beweb20.com ]  beweb20.net ]  beweb20.info ]  Cboutik.com ]  cboutik.net ]  dollars-biz.com  ]  everyjour.com ]  everyjour.net ]  exclusivedemo.com ]  Compare Ink prices ]  Compare Ink prices UK ]  zougadere.com ]  zougadere.net ]  ihatebiz.com ]  ihatebiz.net ]  Mauriplay ]  Mauriplay UK ]  Mauriplay.net ]  nettingnews.com ]  inkgate.net ]  isforsale.net  ]  kifaire.com ]  maurifox.com ]  newbiejob.com ]  nobrowser.com  ]  nojuror.com  ]  nojuror.net  ]  noobsbiz.com ]  noplz.com ]  noplz.net ]  notrains.com ]  notrains.net  ]  nowzon.co.uk  ]  Nowzon UK ]  Nowzon ]  Nowzon compare ]  Nowzon Shop ]  nowzon.net ]  nowzon.info ]  pexzo.com  ]  Free Image Hosting ]  picdep.net ]  receiptforpayment.co.uk ]  receiptforpayment.com ]  small-news.net ]  small-news.com ]  soitsme.com ]  Free Blog Hosting ]  who-i-s.com  ]  who-i-s.net ]  zisme.net ]  zisme.com ]  Inkgate design Store ]  2daydeals ]  2daydeals Canada ]  2daydeals France ]  2daydeals UK ]  2daydeals UK Store ]  2daydeals.co.uk ]  3G Mobile ]  Amazon Books Shop (UK) ]  Amazon France DVD SERIES ]  Amazon(USA) Widget ]  Amazon(USA) Widget ]  Amazon.co.UK Widget ]  Amazon.co.UK Widget ]  Bigbrother NP ]  Books @ 2daydeals ]  Boutique France ]  Buy Zune UK ]  Camera ]  Cheap DVD 50% OFF ]  Cheap Ipod Store ]  Cheap Mp3 Player ]  Cheap Video ]  Comedy DVD Store USA ]  Comedy DVD UK ]  Coupon Codes ]  DVD Store UK ]  Forex ]  Mac Store USA ]  MP3 Store UK ]  My Kitchen & Housewares Store ]  Nettingnews (old) ]  Nettingnews Aggregator ]  Newsvine ]  Nowzon Store ]  Nowzon UK ]  Offres Amazon France ]  Old Small News Site ]  Small News Widget ]  SmallNews (Wp) ]  PageFlakes ]  Spread Firefox ]  Text Link Ads ]  Windows Vista ]  Wireless @ 2daydeals ]  Wordpress Themes ] 

[  Part of the Everyjour.com networks, Build Future on Progress... ] 



smallnews xml-sitemap free wordpress blog hosting Small-News, the News Get all the News,NettingNews Deal Webfeed (RSS/ATOM/RDF) registered at http://www.feeds4all.com 104 queries. 13.070 seconds.We Bring You all the News in Short Words. StumbleUpon Display Pagerank