January 19, 2011

WORM_SOHANAD.MY

This is a worm that spreads Propagates via network shares, instant messaging applications,  via removable drives and copies itself in all available physical drives. This worm may be downloaded from remote sites by other malware and It drops copies of itself and sets the attributes of its dropped files to hidden and read-only.  It may be downloaded unknowingly by a user when visiting malicious Websites and that also spreads via removable drives.

It has many effects :


  • It creates registry entries to enable its automatic execution at every system start up HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Yahoo Messengger = "{install path}\gphone.exe" 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • Shell = "Explorer.exe gphone.exe"
  • It uses Windows Task Scheduler to create a scheduled task that executes the dropped copy %Windows%\Tasks\At{job number}.job - every day 9:00 AM
  • It modifies registry entries to hide files with both System and Read-only attributes
         HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                   NofolderOptions = "1"  (default value being blank)         HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
                   DisableRegistryTools = "1"
  • It creates registry key(s)/entry(ies) as part of its installation routine HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
              shared = "\New Folder.exe"   
         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
                    AtTaskMaxHours = "0" .

  • It deletes registry keys/entries
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IEProtection = ""
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    BkavFw = "" 

  • It sends messages that contain a link pointing to a remote copy of itself, using certain instant messaging applications.
  • It drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed. The said .INF file contains certain strings: 
  1. It drops files with the name gphone.exe in C:\windows\system32 in XP, C:\users\desktop and in temp in Vista as well as windows 7.
  2. It terminates certain processes, if found running in memory
  3. It modifies the Internet Explorer home page to point to a certain Web site. It modifies the Internet Explorer search page to point to a certain Web site.
When it spreads through instant message applications it will have following text after checking if the user's PC has Yahoo messenger or not, if it does not have it will download the file from legitimate Yahoo site: 

  • Now search your google in a HYBRID\DYNAMIC way
    http://{BLOCKED}009.googlepages.com/google.html
  • Hey what are you doing Please test my new webcam using private application
    http://{BLOCKED}009.googlepages.com/google.html
  • The wisest mind has something yet to learn
    http://{BLOCKED}lgo.googlepages.com
  • Hey Please help me to test my new cam application
    http://{BLOCKED}009.googlepages.com/google.html
  • ok thats fine
  • Waiting for you, view my private cam via secured connection
    http://{BLOCKED}009.googlepages.com/google.html 

This worm terminates the following process(es), if found running in memory:
  • Bkav2006
  • cmd.exe
  • game_y.exe
  • Registry
  • System Configuration
  • Windows Task 

1 comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog

Followers

Categories

Twitter Delicious Facebook Digg Stumbleupon Favorites More