WORM_SOHANAD.MY

This is a worm that spreads Propagates via network shares, instant messaging applications,  via removable drives and copies itself in all available physical drives. This worm may be downloaded from remote sites by other malware and It drops copies of itself and sets the attributes of its dropped files to hidden and read-only.  It may be downloaded unknowingly by a user when visiting malicious Websites and that also spreads via removable drives.

It has many effects :

• It creates registry entries to enable its automatic execution at every system start up HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Yahoo Messengger = "{install path}\gphone.exe" 
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Shell = "Explorer.exe gphone.exe"

• It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy %Windows%\Tasks\At{job number}.job - every day 9:00 AM

• It modifies registry entries to hide files with both System and Read-only attributes

         HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                   NofolderOptions = "1"  (default value being blank)         HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
                   DisableRegistryTools = "1"

• It creates registry key(s)/entry(ies) as part of its installation routine HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
            shared = "\New Folder.exe"   

         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
                    AtTaskMaxHours = "0" .

• It deletes registry keys/entries
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IEProtection = ""
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  BkavFw = "" 
  
  
• It sends messages that contain a link pointing to a remote copy of itself, using certain instant messaging applications.
• It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The said .INF file contains certain strings: 

1. It drops files with the name gphone.exe in C:\windows\system32 in XP, C:\users\desktop and in temp in Vista as well as windows 7.
2. It terminates certain processes, if found running in memory
3. It modifies the Internet Explorer home page to point to a certain Web site. It modifies the Internet Explorer search page to point to a certain Web site.

When it spreads through instant message applications it will have following text after checking if the user's PC has Yahoo messenger or not, if it does not have it will download the file from legitimate Yahoo site:  Now search your google in a HYBRID\DYNAMIC way http://{BLOCKED}009.googlepages.com/google.html Hey what are you doing Please test my new webcam using private application http://{BLOCKED}009.googlepages.com/google.html The wisest mind has something yet to learn http://{BLOCKED}lgo.googlepages.com Hey Please help me to test my new cam application http://{BLOCKED}009.googlepages.com/google.html ok thats fine Waiting for you, view my private cam via secured connection http://{BLOCKED}009.googlepages.com/google.html

This worm terminates the following process(es), if found running in memory: Bkav2006 cmd.exe game_y.exe Registry System Configuration Windows Task

Posted in: PC Support,Technical Support,TechSupp 247,Virus Removal Expert,Worm,WORM_SOHANAD.MY