It creates the following registry entries to enable its automatic execution at every system startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Task Manager = “%Windows%\system\svchost32.exe”
Svchost = “%Windows%\system\svhost.exe”
This worm creates the following keys and entries to modify the settings of Yahoo! Messenger
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
content url = “http://{BLOCKED}coolpics.net”
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast
content url = “http://{BLOCKED}coolpics.net”
It also creates the following entries to disable Registry Editor and Task Manager:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\System
DisableRegistryTools = “dword:00000001″
DisableTaskMgr = “dword:00000001″
It also hides the Run option in the Start Menu by adding the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\Explorer
NoRun = “1″
Moreover, it prevents users from manually modifying the home page back to the preferred setting by creating the following registry entry:
HKEY_CURRENT_USER\Software\Policies\Microsoft\
Internet Explorer\Control Panel
Homepage = “1″
It also changes the Internet Explorer home page by modifying the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = “http://{BLOCKED}coolpics.net”
59770e
(Note: The default value for the said registry entry is user-defined.)
|
|
Propagation via Instant Messaging Applications
This worm propagates via Yahoo! Messenger, and Windows Live Messenger or Windows Messenger. It does the said routine by sending an instant message to all the contacts of an active user. The said message contains a link to a remote copy of itself. When the recipient clicks the link, the copy is executed on the recipient’s system.
The message it sends out has the following details:
• :( the page cannot be displayed http://{BLOCKED}coolpics.net/error.jpg Something was wrong !!! Check it again and tell me later. THanks
• :D who is beside you in this pic http://{BLOCKED}coolpics.net/friendpic1.jpg so good-looking
• ;) 1 of my vacation pictures http://{BLOCKED}coolpics.net/vacation1.jpg < :-P
• ;) 1 of my vacation pictures http://{BLOCKED}coolpics.net/vacation2.jpg <:-P
• Do you realize who is in this image: http://{BLOCKED}coolpics.net/who.jpg . Just think for a moment and tell me soon ;))
• hot pics this week http://{BLOCKED}coolpics.net/hot.jpg :x
• Images shot in Iraq _ The war will never end http://{BLOCKED}coolpics.net/Iraqwar.jpg << :(
• Miss World 2006: http://{BLOCKED}coolpics.net/MissWorld.jpg !!
• never click into the links like something in this image http://{BLOCKED}coolpics.net/dontclick.jpg #:-S !!!
• oh my god , i've won a 20000 usd lottery :O http://{BLOCKED}coolpics.net/mylottery.jpg <<
• Screenshot of new windows version _ Windows Vista http://{BLOCKED}coolpics.net/vista.jpg so cool :D
This worm also replaces the status of the affected user with any of the abovementioned messages.
Download Routine
This worm is also capable of downloading and executing files from the following URLs:
* http://{BLOCKED}sourceinteractive.com/portal/media/en.exe
* http://{BLOCKED}sourceinteractive.com/portal/media/link-en.exe
* http://{BLOCKED}coolpics.net/dontclick.jpg
* http://{BLOCKED}coolpics.net/error.jpg
* http://{BLOCKED}coolpics.net/friendpic1.jpg
* http://{BLOCKED}coolpics.net/hot.jpg
* http://{BLOCKED}coolpics.net/Iraqwar.jpg
* http://{BLOCKED}coolpics.net/MissWorld.jpg
* http://{BLOCKED}coolpics.net/mylottery.jpg
* http://{BLOCKED}coolpics.net/vacation1.jpg
* http://{BLOCKED}coolpics.net/vacation2.jpg
* http://{BLOCKED}coolpics.net/vista.jpg
* http://{BLOCKED}coolpics.net/who.jpg
The downloaded files are saved as follows:
* en.exe – component also detected by Trend Micro as WORM_SOHANAD.AF
* link-en.exe – copy of this worm
Process Termination
This worm terminates the following processes, most of which are components of other malware, while some are related to security programs:
* Anti-Trojan.exe
* ANTS.exe
* apvxdwin.exe
* ATCON.exe
* ATUPDATER.exe
* ATWATCH.exe
* AUPDATE.exe
* AUTODOWN.exe
* AUTOTRACE.exe
* AUTOUPDATE.exe
* Avconsol.exe
* AVP.exe
* AVP32.exe
* avpcc.exe
* avpm.exe
* AVPUPD.exe
* Avsynmgr.exe
* AVWUPD32.exe
* AVXQUAR.exe
* bdmcon.exe
* bdnews.exe
* bdoesrv.exe
* bdss.exe
* bkav2006.exe
* CMGrdian.exe
* drwebupw.exe
* GUARD.exe
* iamapp.exe
* iamserv.exe
* ICLOAD95.exe
* ICLOADNT.exe
* ICMON.exe
* ICSSUPPNT.exe
* ICSUPP95.exe
* ICSUPPNT.exe
* LUCOMSERVER.exe
* MCAGENT.exe
* mcupdate.exe
* MINILOG.exe
* MOOLIVE.exe
* NAVAPW32.exe
* NMAIN.exe
* NPROTECT.exe
* NSCHED32.exe
* NUPGRADE.exe
* regedit.exe
* regedt32.exe
* rtvscan.exe
* RuLaunch.exe
* svhost32.exe
* Vshwin32.exe
* vsserv.exe
* VsStat.exe
* zatutor.exe
* zonealarm.exe
Affected Platforms
This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003 with Yahoo! Messenger and Windows Live Messenger/Windows Messenger installed.
Technorati Tags: Yahoo, Windows, Virus, WORM_SOHANAD.AF
source:









